by 安全扫描
OpenClaw
安全
medium confidenceThe skill is an instruction-only Browser QA methodology that is internally consistent with its stated purpose, but it omits explicit dependency/installation declarations and includes guidance that could access local browser state or require test credentials — exercise normal operational caution.
评估建议
This is an instruction-only QA methodology and is coherent with its description, but before running it you should: (1) ensure you have the required tooling (Playwright/Puppeteer/axe-core or an appropriate browser automation setup) installed in a controlled environment; (2) avoid running tests against production with your real Chrome profile — use a dedicated test profile or a headless browser to prevent accidental access to cookies/session data; (3) provide only test/staging credentials (never l...详细分析 ▾
ℹ 用途与能力
The name and description (automated visual testing, interaction checks, accessibility) match the SKILL.md and reference docs. However, the skill references tooling (Playwright, Puppeteer, axe-core, and 'claude-in-chrome') and includes example code/snippets that imply Node/npm usage and a local Chrome instance, yet the registry metadata declares no required binaries, packages, or env vars. This mismatch is explainable for an instruction-only guide but worth noting: the skill will realistically need browser automation tooling present.
ℹ 指令范围
Instructions stay within QA scope (navigate pages, capture console/network, take screenshots, run axe-core, test auth flows). They do not instruct reading arbitrary files or contacting unknown endpoints. One important scope consideration: the guidance recommends using a real Chrome instance ('claude-in-chrome') and testing auth flows; that can access local browser profile, cookies, and authenticated sessions if used — a privacy/attack surface consideration even though it is coherent with testing authenticated journeys.
✓ 安装机制
There is no install spec and no code files to run; the skill is instruction-only. This is the lowest install risk. References include example npm commands (e.g., installing @axe-core/react) and Playwright example code, which implies the operator will install packages themselves; that is expected for an instructions-only QA guide.
ℹ 凭证需求
The skill requests no environment variables or credentials. Practically, many of the suggested tests (auth flow, staging tests) require test credentials or access to a staging environment; those are not requested by the skill. Also, using the user's local Chrome for tests can expose cookies or other session data — the skill does not request them explicitly, but the operational guidance implies access to sensitive local browser state. This is a proportionality note, not a direct contradiction.
✓ 持久化与权限
The skill does not request persistent presence (always:false) and does not claim to modify other agent configurations. It is user-invocable and can be run autonomously per platform defaults; nothing in the package requests elevated privileges or persistent/system-wide changes.
安全有层次,运行前请审查代码。
运行时依赖
OSLinux · macOS · Windows
安装命令
点击复制官方npx clawhub@latest install browser-qa
镜像加速npx clawhub@latest install browser-qa --registry https://cn.longxiaskill.com 镜像可用