Skillv1.2.0

ClawScan security

Auto Qa · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 2:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (automatic web QA) is plausible, but its runtime behavior and assumptions don't fully match its declared requirements — notably it implicitly needs an OpenClaw CLI, will auto-run tests without a confirmation step, and by default will infer a chat session and send full-page screenshots/reports to that channel unless overridden.
Guidance: This skill appears to implement a full web QA runner and will execute a bundled Python script that calls the OpenClaw CLI and system commands. Before installing/running: - Verify you have a trusted 'openclaw' CLI or understand the pnpm fallback; the skill implicitly depends on that binary even though the registry metadata lists none. - Audit src/skills/auto-qa/scripts/run_autoqa.py (already included) to confirm no unexpected network endpoints or secrets exfiltration beyond calling the OpenClaw CLI. - Be aware the skill defaults to: (a) immediately executing scenarios when the user asks (no extra confirmation), and (b) generating a full-page PNG of the report and auto-sending it to a recently active chat session inferred from openclaw status. If you are concerned about accidental disclosure, run with explicit notify flags (or --no-notify-auto-current-channel) and/or run in a sandboxed environment first. - Avoid passing direct local file paths or enabling forced direct scenario paths unless you trust the scenario contents, since the script will expand and may copy user files referenced by scenarios. - If you need lower-risk behavior, ask the skill to require explicit confirmation before running and to disable auto-notify by default; if that cannot be changed, treat this skill as higher-risk and test in an isolated environment.

Review Dimensions

Purpose & Capability: concernSKILL.md and included code rely on an external CLI named 'openclaw' (DEFAULT_BROWSER_BIN) and on invoking 'openclaw status --json' to infer recent sessions/targets; however the skill metadata declares no required binaries or credentials. The script also has a pnpm fallback that expects a repository/package.json. The declared manifest (no required binaries/env) is therefore incomplete and inconsistent with what the code actually needs.
Instruction Scope: concernThe runtime instructions mandate 'direct execution' when the user expresses intent (no prior plan/confirmation). They also instruct the agent to: open target URLs, snapshot page structure, generate scenarios automatically, run the browser executor, collect screenshots/console/network/trace, and — importantly — capture a full-page report image and send it to a chat channel inferred from 'openclaw status --json' unless user opts out. That behavior broadens scope (automatic networked notification and evidence posting) beyond a simple QA script and can expose sensitive artifacts without an explicit user confirmation step.
Install Mechanism: noteNo install spec (instruction-only) — low install risk. However the package includes a large Python script (run_autoqa.py) that will be executed; it runs subprocesses, reads/writes files, and may interact with pnpm/openclaw. Because there is no formal install, execution depends on available system tooling and the script's subprocess calls — review the script before execution.
Credentials: concernThe skill requests no environment variables but expects access to system tools and OpenClaw state. It will call 'openclaw status --json' to infer recent sessions and target chat channels, and can copy files referenced by scenario inputs (copy_if_exists expands user paths). That means the skill can read local files and push screenshots/evidence to chat channels even though no credentials or explicit config are declared. These capabilities are broader than the zero-env declaration implies.
Persistence & Privilege: notealways:false (good), and autonomous invocation is allowed (platform default). The notable privilege is behavioral: default post-run behavior changed to 'generate report screenshot' and to 'auto-send to inferred current session' unless the user supplies --no-notify-auto-current-channel. Combined with immediate execution on user intent, this creates a higher risk of accidental data leakage into chat channels. The skill does not request permanent system hooks, but its defaults are assertive.