Auto Qa

Security checks across malware telemetry and agentic risk

Overview

This web QA skill is legitimate in purpose, but it can capture sensitive browser evidence and send report screenshots to an inferred recent chat channel by default.

Review before installing. Use this only with test or staging accounts when possible, disable automatic current-channel notification unless you explicitly want report screenshots sent, review generated scenario JSON before execution, and avoid running it against sensitive authenticated pages without a clear destination and data-sharing expectation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The snapshot documents a capability to automatically send generated report screenshots to the current chat channel, which creates an unintended data egress path from a QA/testing tool into a communication channel. Because screenshots and reports can contain sensitive application state, internal URLs, tokens, user data, or failure evidence, default auto-posting materially increases disclosure risk beyond the core testing function.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented behavior infers a recent session/channel target and sends artifacts there even when the user did not explicitly specify a notification destination. Implicit target inference is dangerous because it can silently route sensitive QA evidence to the wrong conversation or audience, especially in multi-session or shared environments.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is presented as web AutoQA, but it also includes outbound messaging logic that can route report screenshots and status text to external chat/session targets. This expands the data-flow boundary from local QA execution to external exfiltration channels, creating a meaningful confidentiality risk if screenshots, traces, URLs, or report contents contain sensitive information.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code autonomously infers recent chat-session routes from OpenClaw status data and can send messages/media without the user explicitly specifying a target each time. That capability is unrelated to core QA execution and increases the chance of unintended data disclosure to the wrong session, especially because routing is based on recency heuristics rather than explicit human confirmation.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill contains an exploration/crawling phase that discovers and follows links beyond the declared scenario, broadening access beyond the user-specified test path. In a QA context this can unintentionally hit sensitive routes, logout/destructive endpoints, or pages containing confidential data, increasing both privacy and integrity risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill auto-executes on broad phrases like '开始测试' or '再测一次' without a confirmation step. Because those phrases are common in normal conversation, the skill may trigger browser automation, evidence capture, file writes, and notifications when the user did not intend a high-impact action.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill collects screenshots, console logs, network traces, and may automatically deliver report screenshots to a chat channel, yet the user-facing description does not clearly warn about that collection and disclosure behavior. In a QA context, captured evidence can contain sensitive page content, tokens, internal URLs, or user data, so silent collection and forwarding materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic screenshot capture plus automatic sending to a current chat channel can expose confidential page contents, test evidence, or personally identifiable information without a sufficiently prominent warning. In a QA context, artifacts often contain pre-release or internal data, so silent sharing increases the chance of accidental disclosure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Enabling automatic sending to the inferred current session/channel by default is especially risky because it combines data capture, destination inference, and transmission without an affirmative user action. In the context of a QA automation skill, reports and screenshots are likely to include sensitive operational details, making unintended disclosure to the wrong channel a realistic and serious outcome.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The default behavior enables `--notify-auto-current-channel`, allowing automatic sending of report screenshots/messages to a recently active chat session with no explicit user-facing warning at execution time. Because reports and screenshots may contain internal application state, URLs, or personal data, this creates a realistic inadvertent exfiltration path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal