Qa Patrol
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A test run could create, edit, delete, or otherwise mutate data in the target web app.
The advanced SaaS template can direct browser automation to perform destructive UI actions. This is purpose-aligned for QA, but it can change real app data if run against a production account.
name: Delete item ... click: { ref: delete_button } ... click: { ref: confirm_delete }Run these plans only against apps and accounts you control, preferably staging/test environments, and review mutation steps before execution.
If production credentials or a write-capable production database URL are supplied, the agent could access sensitive accounts or data during testing.
The skill may use privileged test accounts and a database connection. The artifacts disclose this and warn against production credentials, but these inputs are still high-impact.
`ADMIN_PASSWORD` ... `PRO_PASSWORD` ... `DATABASE_URL` ... Use test credentials only — never supply production passwords or production DATABASE_URL.
Use dedicated test accounts, least-privilege credentials, test-mode Stripe, and a read-only or disposable database connection where possible.
Sensitive UI content, console messages, or test data could appear in local reports or the agent context.
QA evidence, screenshots, snapshots, and console logs may include sensitive page content or test data. The artifacts frame this as local QA reporting, not exfiltration.
Capture snapshot and console logs ... Record PASS/FAIL/SKIP with evidence
Use scrubbed test data and review generated reports or screenshots before sharing them.
A user might read the privacy claim too broadly and forget that target apps and connected services still receive the automated test traffic.
The privacy wording is broad: the skill does not show its own cloud service, but testing a web app or database necessarily sends traffic to the user-provided app, Stripe/test services, or database endpoint.
Nothing is sent to external servers ... `APP_URL` ... `DATABASE_URL`
Interpret the claim as no QA Patrol vendor/cloud backend, not as no network traffic; use only intended test targets.