AI-powered automated QA for web apps. Smoke tests, accessibility, visual regression. Works with Cursor, Claude, ChatGPT, Copilot. Vibe-coding ready.
Security Analysis
high confidenceThe skill's code, README, and runtime instructions are consistent with an npm-based web QA CLI that wraps an external agent-browser CLI; nothing in the bundle indicates unexplained credential access or hidden exfiltration.
Name/description (web QA, smoke tests, accessibility, visual regression) align with the included source files (QABot, Browser wrapper, assertions, CLI). The code calls an external agent-browser CLI for browser control which is expected for this purpose.
SKILL.md instructs installing the package and agent-browser, using CLI commands (smoke, run, report) and programmatic API. It does not request unrelated environment variables or direct the agent to read system secrets; runtime instructions focus on browser automation and reporting.
The skill has no formal install spec in the registry but SKILL.md recommends npm install -g web-qa-bot and installing agent-browser. The package files are TypeScript sources (src/) but the CLI bin points at dist/cli.js — that may cause runtime problems if the package is distributed without a built dist. Also the peer dependency agent-browser has an install script and playwright-core is present in the lockfile; those can download browser binaries and run install-time actions. This is expected for a browser automation tool but worth noting.
The skill declares no required environment variables or credentials and the code does not reference secrets or unrelated config paths. It interacts with local filesystem for screenshots and reads/writes test/report files — appropriate for its purpose.
Skill is not force-included (always: false). It does not request to modify other skills or system-wide agent settings. It launches or connects to browsers but limits actions to CLI calls and local files.
Guidance
This package appears coherent for automated web QA, but check a few practical points before installing or running it: - agent-browser and Playwright: The tool relies on the agent-browser CLI (peer dependency) and the lockfile references playwright-core; those packages may run install scripts and download browser binaries. That is normal for browser automation but expect large downloads and install-time activity. - Build/distribution mismatch: The repository content contains TypeScript source (src/) while the CLI bin refers to dist/cli.js. If you install a published package, verify the package includes a built dist/ directory; otherwise the CLI may fail to run. - File system and browser access: The tool writes screenshots and report files to disk and launches/controls browser instances. Do not point it at sensitive internal systems or provide secrets in test files unless you trust the package source. - PDF/reporting dependencies: SKILL.md mentions ai-pdf-builder and LaTeX for PDF export; those are not listed as direct dependencies — you may need to install extra tooling to generate PDFs. - Verify origin: The skill metadata lists a repo and npm name. If you plan to use this in production, verify the package on npm/GitHub (authors, recent releases, checksums) to avoid typosquat or forged packages. If you want, I can: (a) scan the omitted source files for any network endpoints or suspicious code paths, (b) check for any hard-coded URLs/credentials inside all files, or (c) produce a short checklist to safely run the first smoke test in an isolated environment.
Latest Release
v0.1.3
- Added comprehensive documentation and usage guide in SKILL.md. - Included installation steps, core commands, and example workflows for smoke tests, test suites, and visual regression. - Detailed integration instructions with agent-browser CLI. - Provided troubleshooting tips and supported test result/report formats. - Listed major use cases and best practices for reliable automated QA of web apps.
More by @NextFrontierBuilds
Published by @NextFrontierBuilds on ClawHub
