ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A.I Ventures Test Gen A.I Agent

v1.0.1

Analyzes a given URL and automatically generates comprehensive functional, UI, and boundary test cases.

0· 118·0 current·0 all-time
by@kushanlk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kushanlk/ss-ss.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A.I Ventures Test Gen A.I Agent" (kushanlk/ss-ss) from ClawHub.
Skill page: https://clawhub.ai/kushanlk/ss-ss
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ss-ss

ClawHub CLI

Package manager switcher

npx clawhub@latest install ss-ss
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (analyze a URL and generate test cases) matches the idea of a DOM-extractor script. package.json lists playwright (a browser automation library) which is a reasonable dependency for this purpose. However, the critical implementation file analyze-dom.js is empty (0 bytes) so the skill as packaged cannot perform its stated function. There is no homepage or source provenance to justify the package or owner.
Instruction Scope
SKILL.md gives precise runtime instructions: run `node analyze-dom.js <URL>`, read JSON output, then generate test plans. Those instructions do not request unrelated files, env vars, or odd exfiltration endpoints. The problem is the instruction assumes a local script will produce JSON, but the script is missing—so the instructions are impossible to follow and may prompt an agent or user to obtain or execute unknown code.
Install Mechanism
There is no install specification (instruction-only), but package.json declares a dependency on playwright (^1.59.1). Playwright is a legitimate but heavyweight dependency (downloads browsers). The absence of an install step or documented provenance means a user/agent may need to fetch npm packages at runtime; this is not itself malicious but is an operational gap and increases risk if the missing script is later supplied from an unknown source.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to the stated purpose (web DOM analysis) and there are no apparent attempts to request unrelated secrets.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. It does not declare actions that modify other skills or system-wide settings. No persistence or elevated platform privileges are requested.
What to consider before installing
Do not run or install this skill as-is. The analyze-dom.js file is empty, so the package cannot perform its stated task — this is an implementation gap that could be benign (forgotten file) or a sign the real code is supplied later from an untrusted source. Before installing or running anything: 1) request the full analyze-dom.js source and review it for network calls, file I/O, and data exfiltration; 2) verify the package comes from a known author or repository (homepage/source control); 3) if you must test it, run it in an isolated sandbox with no access to sensitive files or credentials and with network egress restricted; 4) be aware playwright will download browsers if installed from npm—prefer installing dependencies from the official registry and reviewing package-lock files; 5) decline use if the author cannot provide source/provenance or if the script contains unexpected network endpoints or secret-accessing code.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cktzxj3sr2z87fevggajgs84bb06
118downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
@kushanlk
latest
Download

Execution Instructions

When instructed to generate test cases for a specific URL, you must:

  1. Execute the command: node analyze-dom.js <URL>
  2. Read the JSON output containing the interactive DOM elements.
  3. Use your reasoning capabilities to map out logical user journeys based on the extracted elements.
  4. Output a strictly formatted Markdown Test Plan with Steps to Reproduce, Expected Results, and Edge Cases.

Comments

Loading comments...