ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QA Test Bots

v1.0.0

Automate end-to-end QA tests simulating user flows, checking UI elements, broken links, responsiveness, and performance across devices with Apify integration.

0· 46·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (automated QA using Apify, Puppeteer/Playwright) match the SKILL.md examples which call Apify actors and browser automation. Requiring an Apify token and npm dependency is coherent with the stated purpose — however the registry metadata lists no required environment variables despite the instructions asking the user to set APIFY_TOKEN, which is an inconsistency.
Instruction Scope
SKILL.md stays within QA/testing scope: it instructs how to obtain APIFY_TOKEN, install apify-client, and shows example actor calls that navigate pages, click, type, take screenshots, and crawl links. It does not instruct reading unrelated local files or exfiltrating data to third-party endpoints beyond Apify. It does include writing screenshots and videos to disk as part of test artifacts (expected for QA).
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. The only install instruction is a normal npm install (apify-client). No downloads from untrusted URLs or archive extraction are present; the only external site referenced is apify.com (plus an affiliate query param).
!
Credentials
The examples require APIFY_TOKEN (process.env.APIFY_TOKEN) to call Apify actors. The token request is proportional to the purpose, but the registry metadata does not declare this required environment variable — a metadata/intent mismatch that could mislead users about what credentials are needed. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not declare any persistence or system-wide config changes. It allows normal autonomous invocation (disable-model-invocation:false), which is the platform default and not by itself a red flag.
What to consider before installing
This skill appears to be a legitimate Apify-based QA testing guide, but the registry metadata failing to list APIFY_TOKEN is a concrete inconsistency. Before installing or running anything: (1) treat APIFY_TOKEN as a sensitive credential — create a limited-scope or throwaway token on Apify if possible; (2) verify the code examples before running them and run tests in a sandbox or staging environment (do not point tests at production systems without permission); (3) confirm the publisher/source and ask them to update the skill metadata to declare the required APIFY_TOKEN so you know what credentials are needed; (4) be aware the examples will perform automated actions against target sites (clicks, form submissions) — ensure those actions are allowed and will not leak private data; (5) if you need higher assurance, request the skill author to provide a homepage or source repository for review. If you are uncomfortable with an unknown publisher or providing API tokens, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk976k35a6b4zztxq62f4nvg84984htsw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments