Webapp Testing Anthropic
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local webapp testing skill, but it can run local commands and save browser logs/screenshots, so use it only with trusted projects and test data.
This skill appears safe for its stated purpose of testing local web applications. Before installing or using it, review any server command you ask it to run, use trusted local projects, avoid sensitive production data, and check generated screenshots or logs before sharing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an untrusted or mistaken server command is supplied, it could run unintended local commands.
The helper intentionally runs a caller-supplied server command through the local shell, which is expected for starting development servers but can execute arbitrary local shell actions if misused.
process = subprocess.Popen(server['cmd'], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Use the helper only with trusted project commands, review the exact command string before running it, and avoid passing untrusted input into --server.
A user or agent might run bundled helpers without inspecting what they do first.
The skill discourages source inspection before use. The included helper source appears consistent with the stated purpose, but this wording can reduce pre-run review.
DO NOT read the source until you try running the script first... They exist to be called directly as black-box scripts
Treat this as performance guidance, not a security rule; inspect bundled scripts whenever you want assurance before execution.
Screenshots or console logs from a local app could contain sensitive test data, tokens printed by the app, or private UI content.
The example stores captured browser console logs in a local output file; other examples also write screenshots. This is purpose-aligned but may persist app data.
with open('/mnt/user-data/outputs/console.log', 'w') as f: f.write('\n'.join(console_logs))Use non-sensitive test data where possible and review or delete generated logs/screenshots before sharing them.
It may be harder to verify the origin of the skill or know exactly how required tools such as Playwright should be installed.
The registry metadata does not provide an upstream source or install instructions. The bundled files are present for review, but dependency setup and provenance are not strongly declared.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the bundled files and install any needed dependencies, such as Playwright, only from trusted package sources.