Vibecoding Pro
PassAudited by ClawScan on May 10, 2026.
Overview
The supplied artifacts look like a coherent coding QA workflow template, with the main caution that it can run user-configured browser/API tests and subagents.
Before installing, treat this as a QA workflow template: use staging/local URLs, test accounts, least-privilege auth tokens, and review any adapted Python hooks before running them. Parts of SKILL.md and iteration_loop.py are marked truncated in the provided review text, so inspect the full files before relying on them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may click through a site or send API requests to URLs you provide during testing.
The evaluator templates intentionally use browser automation and direct HTTP calls. This is purpose-aligned for QA, but those tools can change application state if pointed at live or write-capable endpoints.
Step 1: Open [DEPLOYED_URL] in the browser. Step 2: Execute each test scenario from the spec as if you are a real user. ... Execute actual HTTP requests using available tools.
Use local or staging URLs, test data, and reviewed test scenarios; avoid destructive production endpoints unless you explicitly intend to test them.
If you provide a real token, tests could read or modify data allowed by that token.
The API evaluator template can be supplied with an authentication header or token. That is expected for authenticated API testing, but it gives the evaluator whatever access that credential allows.
**Base URL**: [API_BASE_URL] **Auth**: [AUTH_HEADER_OR_TOKEN]
Use least-privilege test credentials, avoid production tokens where possible, and rotate credentials if they are exposed in prompts or logs.
Specs, URLs, feedback, and possibly sensitive test context may be shared with configured subagents or model providers.
The script includes a commented template for passing the spec and artifact URL to a tester subagent. It is not automatic code, but it shows the intended inter-agent data flow.
# result = sessions_spawn(... agentId="tester", runtime="subagent" ... Spec (source of truth): {spec} ... Artifact URL: {artifact_url}Use trusted subagents/providers and keep secrets out of specs, history, and prompts unless they are necessary for the test.