Auto Qa
ReviewAudited by ClawScan on May 10, 2026.
Overview
Auto Qa looks purpose-built for browser QA, but it can use a browser profile and automatically post report screenshots to an inferred chat channel, so it should be reviewed before use.
Install or run this only if you are comfortable with it controlling a browser for QA. Prefer a dedicated test profile/account, avoid production-destructive flows, review or disable automatic chat notification, and treat generated evidence/report folders as sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a production or logged-in site, the agent may perform real website actions as part of a generated QA scenario.
The skill is designed to immediately run browser actions, including typing/clicking and browser-context evaluation, once a QA intent is expressed. This is purpose-aligned, but users should notice it can act on live pages without a separate plan-confirmation step.
当用户表达“跑 QA / 再测一次 / 做自动回归 / 开始测试”等执行意图时,默认进入直接执行,不先回复“计划确认”。 ... 支持动作 ... `click` ... `type` ... `press` ... `evaluate`
Run it against staging/test accounts where possible, and ask to review or constrain generated scenarios before any state-changing flows.
The QA run could interact with websites under the user's active browser identity and capture evidence from authenticated pages.
The skill runs through a browser profile, which may carry authenticated web sessions. The artifacts do not clearly bound which profile should be used, require test-only accounts, or explain how authenticated-session side effects are contained.
输入:场景 JSON、浏览器 profile、run_id ... `--browser-profile openclaw`
Use a dedicated QA browser profile and test credentials; declare the profile/session dependency clearly and require confirmation for sensitive authenticated workflows.
Local report folders may retain screenshots, URLs, console messages, network details, or generated prompts that should be treated as sensitive project evidence.
The skill persistently stores browser screenshots, console/network/trace evidence, and prompts for reuse in later work. This is aligned with QA reporting, but these artifacts can contain sensitive page data or debugging details.
自动采集失败证据(截图、console、network、trace) ... `demo/artifacts/run-<run_id>/` ... `fix_plan.json`、`next_window_prompt.md`、`standby_prompt.txt`
Store outputs in a controlled workspace, add retention/cleanup guidance, and avoid running against pages that expose secrets unless the evidence directory is protected.
A report screenshot or QA result could be posted to the wrong chat channel, exposing project or website information.
The reference documentation says report screenshots can be sent automatically to an inferred recent/current chat channel even when no explicit notification target is provided. QA reports may contain captured page and diagnostic data, and the inferred destination may not be the intended audience.
`当前会话自动发送`默认开启 ... 未显式传 `--notify-channel` / `--notify-target` 时,也会尝试根据最近会话自动推断频道并发送。
Make report notification opt-in, require an explicit target or confirmation before sending, and keep an easy default-off option such as `--no-notify-auto-current-channel`.