Security Audit

vibetesting

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

vibetesting received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 0 critical, 0 high, 5 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

86%

Static Code Analysis

93%

Dependency Graph

98%

LLM Behavioral Safety

84%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/senthazalravi/zohoclaw/skills/vibetesting/index.js:191
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/senthazalravi/zohoclaw/skills/vibetesting/index.js:229
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/senthazalravi/zohoclaw/skills/vibetesting/SKILL.md:1
MEDIUM	Missing `fetch` dependency for Node.js 14+ The `index.js` file uses the `fetch` API, which is native to Node.js 18 and above. However, the `package.json` specifies `engines: { "node": ">=14.0.0" }`. Node.js versions 14-17 do not have native `fetch`. This implies a missing dependency (e.g., `node-fetch`) in `package.json`. Without this dependency explicitly declared and installed, the skill will fail on older Node.js versions or rely on an implicitly available global `fetch` polyfill, which is an unpinned dependency and a supply chain risk. Add `node-fetch` (or a similar `fetch` polyfill) as a dependency in `package.json` and ensure it's imported and used correctly in `index.js` for Node.js versions below 18. Alternatively, update the `engines` field to `"node": ">=18.0.0"` if the skill is intended only for newer Node.js versions.	LLM	package.json:29
MEDIUM	Potential insecure handling of authentication credentials The skill accepts an `auth` parameter for basic authentication credentials (`user`, `pass`). While the `SKILL.md` advises users not to commit credentials and use environment variables, the provided `index.js` snippet is truncated, making it impossible to verify how these credentials are handled internally. If the skill logs these credentials, stores them unencrypted in reports, or exposes them in any other way, it constitutes a credential harvesting risk. The `index.js` snippet shows `this.config.auth = config.auth \|\| null;`, meaning they are stored in the `this.config` object. Without further code, their usage and security cannot be confirmed. Implement secure handling for authentication credentials. This includes: 1. Never logging credentials to console or reports. 2. Ensuring credentials are not stored in plain text in memory longer than necessary. 3. Using secure methods to pass credentials to browser automation tools (e.g., `page.authenticate()`) rather than embedding them directly in URLs or headers if possible. 4. Explicitly redacting credentials from any output or error messages.	LLM	SKILL.md:108
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/senthazalravi/zohoclaw/skills/vibetesting/package.json
LOW	Discrepancy between advertised capabilities and implemented code The skill's `SKILL.md` extensively describes 'Browser Automation Testing' capabilities including UI, accessibility, performance (Lighthouse, Core Web Vitals), and visual regression testing, all of which require a full browser environment. However, the provided `index.js` snippet for `initBrowser()` explicitly states 'Browser automation not available' and 'Using alternative detection methods' without initializing any browser automation library (like Puppeteer or Playwright). The `navigate()` function only uses `fetch` to retrieve page content. This indicates that the skill, as implemented in the provided code, cannot perform its advertised browser-based testing functions, including critical security checks like XSS scanning or CSP validation that require a live browser. This impacts the trustworthiness and effectiveness of the skill, especially for its security-related claims. Either implement the full browser automation capabilities using a library like Puppeteer/Playwright, or update the `SKILL.md` to accurately reflect the skill's actual capabilities (e.g., static analysis of fetched HTML). If browser automation is intended, ensure the necessary libraries are installed and initialized.	LLM	SKILL.md:10

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/45518a7b713ef511.svg)](https://skillshield.io/report/45518a7b713ef511)