← 返回 Skills 市场

Web Qa Bot

Name: Web Qa Bot
Author: nextfrontierbuilds

作者 Next Frontier AI · GitHub ↗ · v0.1.3

cross-platform ⚠ suspicious

1997

总下载

当前安装

版本数

在 OpenClaw 中安装

/install web-qa-bot

功能描述

AI-powered automated QA for web apps. Smoke tests, accessibility, visual regression. Works with Cursor, Claude, ChatGPT, Copilot. Vibe-coding ready.

安全使用建议

This package appears coherent for automated web QA, but check a few practical points before installing or running it: - agent-browser and Playwright: The tool relies on the agent-browser CLI (peer dependency) and the lockfile references playwright-core; those packages may run install scripts and download browser binaries. That is normal for browser automation but expect large downloads and install-time activity. - Build/distribution mismatch: The repository content contains TypeScript source (src/) while the CLI bin refers to dist/cli.js. If you install a published package, verify the package includes a built dist/ directory; otherwise the CLI may fail to run. - File system and browser access: The tool writes screenshots and report files to disk and launches/controls browser instances. Do not point it at sensitive internal systems or provide secrets in test files unless you trust the package source. - PDF/reporting dependencies: SKILL.md mentions ai-pdf-builder and LaTeX for PDF export; those are not listed as direct dependencies — you may need to install extra tooling to generate PDFs. - Verify origin: The skill metadata lists a repo and npm name. If you plan to use this in production, verify the package on npm/GitHub (authors, recent releases, checksums) to avoid typosquat or forged packages. If you want, I can: (a) scan the omitted source files for any network endpoints or suspicious code paths, (b) check for any hard-coded URLs/credentials inside all files, or (c) produce a short checklist to safely run the first smoke test in an isolated environment.

功能分析

Type: OpenClaw Skill Name: web-qa-bot Version: 0.1.3 The skill contains critical shell injection vulnerabilities. In `src/browser.ts`, user-controlled inputs such as URLs (in `goto`), selectors (in `click`, `hover`, `select`), screenshot names, and keyboard keys (in `press`) are directly concatenated into shell commands executed via `execSync` without sufficient sanitization. This allows an attacker to execute arbitrary commands on the host system by crafting malicious test suite files or CLI arguments. A similar vulnerability exists in `src/reporter.ts`, where `execSync` is used to invoke `ai-pdf-builder` with user-controlled output paths and company names, also without proper escaping.

能力评估

✓ Purpose & Capability

Name/description (web QA, smoke tests, accessibility, visual regression) align with the included source files (QABot, Browser wrapper, assertions, CLI). The code calls an external agent-browser CLI for browser control which is expected for this purpose.

✓ Instruction Scope

SKILL.md instructs installing the package and agent-browser, using CLI commands (smoke, run, report) and programmatic API. It does not request unrelated environment variables or direct the agent to read system secrets; runtime instructions focus on browser automation and reporting.

ℹ Install Mechanism

The skill has no formal install spec in the registry but SKILL.md recommends npm install -g web-qa-bot and installing agent-browser. The package files are TypeScript sources (src/) but the CLI bin points at dist/cli.js — that may cause runtime problems if the package is distributed without a built dist. Also the peer dependency agent-browser has an install script and playwright-core is present in the lockfile; those can download browser binaries and run install-time actions. This is expected for a browser automation tool but worth noting.

✓ Credentials

The skill declares no required environment variables or credentials and the code does not reference secrets or unrelated config paths. It interacts with local filesystem for screenshots and reads/writes test/report files — appropriate for its purpose.

✓ Persistence & Privilege

Skill is not force-included (always: false). It does not request to modify other skills or system-wide agent settings. It launches or connects to browsers but limits actions to CLI calls and local files.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install web-qa-bot
安装完成后，直接呼叫该 Skill 的名称或使用 /web-qa-bot 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.3

- Added comprehensive documentation and usage guide in SKILL.md. - Included installation steps, core commands, and example workflows for smoke tests, test suites, and visual regression. - Detailed integration instructions with agent-browser CLI. - Provided troubleshooting tips and supported test result/report formats. - Listed major use cases and best practices for reliable automated QA of web apps.

v0.2.2

Rebranded to OpenClaw

v0.2.1

SEO update

v0.1.1

- Updated skill.

v0.1.0

Initial release of web-qa-bot. - Provides AI-powered, accessibility-tree based web application QA automation. - Supports smoke testing, running test suites, and generating PDF/Markdown/JSON reports. - Integrates with agent-browser for browser automation and debugging. - Offers both CLI and programmatic usage options. - Test results are structured and suitable for CI/CD integration. - Includes troubleshooting tips and best practices for reliable web testing.

元数据

Slug web-qa-bot

版本 0.1.3

许可证 —

累计安装 1

当前安装数 1

历史版本数 5

常见问题

Web Qa Bot 是什么？

AI-powered automated QA for web apps. Smoke tests, accessibility, visual regression. Works with Cursor, Claude, ChatGPT, Copilot. Vibe-coding ready. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1997 次。

如何安装 Web Qa Bot？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install web-qa-bot」即可一键安装，无需额外配置。

Web Qa Bot 是免费的吗？

是的，Web Qa Bot 完全免费（开源免费），可自由下载、安装和使用。

Web Qa Bot 支持哪些平台？

Web Qa Bot 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Web Qa Bot？

由 Next Frontier AI（@nextfrontierbuilds）开发并维护，当前版本 v0.1.3。