Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qa Patrol

v1.0.3

Automated QA testing for web apps using local browser automation. Runs entirely on your machine — no data leaves, no cloud services, no external servers. Lev...

⭐ 0· 902·5 current·7 all-time

byTahseen-ur Rahman@tahseen137

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description, templates, and runtime instructions all describe local browser automation, optional static analysis, and optional DB checks. The optional env vars (test account creds, DATABASE_URL) and repo_path are appropriate for those features.

ℹ

Instruction Scope

SKILL.md is explicit about levels and what will be accessed. One mismatch to note: the doc repeatedly states "nothing is sent to external servers," but tests may navigate to third-party domains (e.g., checkout.stripe.com) and the webhook/api_check templates perform HTTP requests; if your app or DB is remote those network interactions will contact external endpoints. The instructions also reference many optional env vars and local repo paths (for Level 3) — reasonable for the stated functionality but worth being aware of.

✓

Install Mechanism

Instruction-only skill with no install spec and no bundled executables. No downloads or extracted archives — lowest install risk.

ℹ

Credentials

Env vars requested in SKILL.md are optional test credentials and DATABASE_URL, which align with auth/payment and DB integrity testing. The registry metadata lists no required env vars (meaning none are mandatory) — SKILL.md references optional env vars rather than declaring required secrets. This is proportionate, but you should avoid supplying production credentials.

✓

Persistence & Privilege

always:false and no install hooks or config-writing behavior in the skill. It does not request permanent platform presence or modify other skills' configs per the provided files.

Assessment

This skill appears to be what it claims: a local QA tool with optional static scans and DB checks. Before installing or running it: (1) Only provide test account credentials and point DATABASE_URL to a non-production/test database. (2) Expect the tool to navigate to the target URL and external services used by your app (e.g., Stripe checkout) — so "nothing leaves" is only true if your target and DB are local/test. (3) Level 3 static analysis will read local repo_path files, so run those scans only in repos you intend to scan. (4) Because this is instruction-only, its behavior depends on the platform's built-in browser/read capabilities — verify you trust the runtime environment. If you need extra assurance, run the skill in an isolated environment (VM/container) and review/edit the provided templates to remove or replace anything you don't want exercised.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bzptft4enrahbqfwvwwj8498168dv

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Qa Patrol

License

Comments