ClawHub

Web Qa Bot

Security checks across malware telemetry and agentic risk

Overview

This web QA skill has a coherent testing purpose, but it needs Review because crafted test inputs or report options can reach unsafe shell commands and potentially run local commands.

Install only if you trust the test suites, URLs, selectors, report paths, and company/output values you will pass to it. Avoid running untrusted YAML/JSON suites or report options until the package replaces execSync shell strings with argument-vector execution and adds input validation. Treat screenshots, console logs, reports, and authenticated browser sessions as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The evaluate() method exposes arbitrary JavaScript execution in the loaded page context, which exceeds what is necessary for a smoke/accessibility/visual QA wrapper. In an agent setting, untrusted prompts or test data could drive this method to read sensitive page state, manipulate application behavior beyond intended testing, or bypass safer high-level automation primitives.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The exec() helper constructs a shell command by joining strings and passes it to execSync, making shell execution the primary control plane for browser actions. Because downstream methods pass user-influenced values such as URLs, refs, file paths, keys, and scripts into this command string, this creates command injection risk and gives the skill broader host execution capability than its QA description implies.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The PDF generation path builds a shell command with interpolated user-controlled values (`mdPath`, `options.output`, and `company`) and executes it with `execSync`. Because shell metacharacters inside double-quoted arguments can still be expanded by the shell, an attacker who controls report options may achieve command injection or trigger execution of unintended commands/packages via `npx`.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The plan explicitly includes console capture, network failure monitoring, screenshots, and report generation, all of which can collect sensitive information from the tested application such as tokens, PII, internal URLs, or confidential UI state. In a web QA automation skill, this is especially relevant because the tool is intended to run against real web apps, yet the plan does not mention data minimization, redaction, consent, retention limits, or user warnings.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
User-influenced arguments are interpolated into a single shell command without robust escaping, and only double quotes in a few call sites are escaped. Inputs like url, ref, key, screenshot filename, or script can potentially inject shell metacharacters or alter command behavior, leading to arbitrary local command execution under the agent's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal