ClawHub

Qa Patrol

Security checks across malware telemetry and agentic risk

Overview

QA Patrol is a disclosed local web-app testing skill, but users should run it only against test environments and treat generated evidence as sensitive.

Install only if you are comfortable granting local browser automation and, for advanced tests, optional repo read access and database connectivity. Use staging apps, synthetic data, disposable test accounts, Stripe test mode, and read-only or disposable database credentials; review plans for create/edit/delete steps before running, and secure or delete screenshots and reports after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The cross-platform test clicks a `delete_account_button` to verify dialog behavior, but the example does not include an explicit safeguard ensuring the action stops at the confirmation prompt and never completes deletion. In a local browser automation context with real test credentials, this can unintentionally delete a user account or associated data if the UI flow changes or the button performs immediate deletion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication examples show entering credentials and then taking browser snapshots to verify login state, but they do not warn that snapshots can capture sensitive account data such as email addresses, session-related UI, or other authenticated content. In a local QA automation skill, this can lead to inadvertent collection or retention of sensitive test or real-user data in logs, artifacts, or transcripts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot examples instruct users to save screenshot files without noting that screenshots may capture sensitive on-screen information, including authenticated pages, personal data, payment flows, or internal application state. Because this skill is specifically designed for local browser testing, artifact generation is expected behavior, which increases the likelihood of accidental retention or exposure of sensitive images.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal