by 安全扫描
OpenClaw
安全
high confidenceThe skill's files and instructions are coherent with a local QA/testing tool: optional test credentials, local static scans, and DB checks are expected and proportionate; nothing obvious indicates misdirection or hidden exfiltration.
评估建议
This skill appears to be what it claims: a local QA tool with optional static scans and DB checks. Before installing or running it: (1) Only provide test account credentials and point DATABASE_URL to a non-production/test database. (2) Expect the tool to navigate to the target URL and external services used by your app (e.g., Stripe checkout) — so "nothing leaves" is only true if your target and DB are local/test. (3) Level 3 static analysis will read local repo_path files, so run those scans on...详细分析 ▾
✓ 用途与能力
Name/description, templates, and runtime instructions all describe local browser automation, optional static analysis, and optional DB checks. The optional env vars (test account creds, DATABASE_URL) and repo_path are appropriate for those features.
ℹ 指令范围
SKILL.md is explicit about levels and what will be accessed. One mismatch to note: the doc repeatedly states "nothing is sent to external servers," but tests may navigate to third-party domains (e.g., checkout.stripe.com) and the webhook/api_check templates perform HTTP requests; if your app or DB is remote those network interactions will contact external endpoints. The instructions also reference many optional env vars and local repo paths (for Level 3) — reasonable for the stated functionality but worth being aware of.
✓ 安装机制
Instruction-only skill with no install spec and no bundled executables. No downloads or extracted archives — lowest install risk.
ℹ 凭证需求
Env vars requested in SKILL.md are optional test credentials and DATABASE_URL, which align with auth/payment and DB integrity testing. The registry metadata lists no required env vars (meaning none are mandatory) — SKILL.md references optional env vars rather than declaring required secrets. This is proportionate, but you should avoid supplying production credentials.
✓ 持久化与权限
always:false and no install hooks or config-writing behavior in the skill. It does not request permanent platform presence or modify other skills' configs per the provided files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/2/16
v1.0.3: Fix registry metadata — removed unsupported nested objects causing [object Object], moved env/permissions docs to body, clarified read permission is Level 3 only
● 可疑
安装命令 点击复制
官方npx clawhub@latest install qa-patrol
镜像加速npx clawhub@latest install qa-patrol --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制