Dogfood
v1.0.0Systematically explore and test a web application to find bugs, UX issues, and other problems. Use when asked to "dogfood", "QA", "exploratory test", "find i...
⭐ 0· 124·5 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (exploratory QA / 'dogfooding') match the runtime instructions and included templates. The skill uses a browser-automation CLI (agent-browser) and local report templates and checklists — all expected for this purpose. No unrelated binaries, cloud credentials, or config paths are requested.
Instruction Scope
Instructions direct the agent to fully exercise the app, take annotated screenshots, record repro videos, capture console/errors, and save session state (auth-state.json). These actions are appropriate for QA but will collect potentially sensitive data (authentication cookies, PII seen during testing). The SKILL.md also says not to ask clarifying questions except for missing credentials, which may cause the agent to proceed automatically; and it tells callers to prefer the direct 'agent-browser' binary while allowed-tools also lists 'npx agent-browser' — a minor inconsistency.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install mechanism (nothing is downloaded or executed beyond using existing CLI tools).
Credentials
The skill declares no required environment variables or credentials, which is reasonable. At runtime it expects the user to provide login credentials or OTPs when testing authenticated areas, and it explicitly saves auth state to disk. That behavior is proportional to QA but means sensitive credentials/tokens will be written to the OUTPUT_DIR unless the user avoids providing real credentials.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It writes artifacts to an output directory and reads its own template files (SKILL_DIR); it does not modify other skills or global agent config.
Assessment
This skill appears to do what it says: automated exploratory testing and reporting. Before running it, consider: (1) it will capture screenshots, console logs, videos, and will save authentication state (auth-state.json) — treat those outputs as sensitive; (2) avoid using real-production user accounts or secrets during runs; prefer a throwaway or test account and clear saved auth-state files after use; (3) confirm where OUTPUT_DIR points and ensure the directory is secure (or use a temp directory); (4) the skill assumes an 'agent-browser' CLI is available — verify that binary and its provenance; (5) if you need tighter control, require the agent to ask for explicit permission before starting a session or before saving auth state. Overall the skill is internally consistent with its purpose, but exercise standard caution around captured credentials and test artifacts.Like a lobster shell, security has layers — review code before you run it.
latestvk97fmvjw8zns4q5ax7fkt6trd9835pjs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.