SR
SKILLRADAR
AI Security • Benchmarking • Index
Menu
Trust Report v1

openclaw-qa-testing

Run, watch, debug, extend, or explain OpenClaw qa-lab and qa-channel scenarios, artifacts, and live lanes.

Overall
63
Trust
29
Utility
88
Momentum
95

Install caution

High-risk behavior present

Risk: High

Source: OpenClaw Built-in Skills

Path: .agents/skills/openclaw-qa-testing/SKILL.md

Review flags: browser/session access, credential or secret references, filesystem/home-directory access, network access or external URLs. These are review signals, not definitive security judgments; inspect before installing.

Required permissions

  • Environment variables / secrets
  • Shell commands
  • Network/API usage
  • Filesystem/home access
  • Browser/session access

Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.

Risk flags explained

browser_or_session_accessmedium

Mentions browser automation, cookies, sessions, local storage, or browser state.

credential_or_secret_referencehigh

Mentions tokens, API keys, passwords, or private-key style environment variables.

filesystem_write_or_home_accessmedium

Mentions filesystem writes, deletes, home-directory paths, or config/key locations.

network_accessmedium

Mentions external URLs, network APIs, downloads, or HTTP client usage.

shell_commandmedium

Contains shell command snippets. Review commands before copy/paste or agent execution.

Score explanation

Trust

  • Trust starts at 90 before review-signal penalties and metadata bonuses.
  • Risk-signal penalty: -63 from 5 detected flag(s).
  • Metadata bonus: +2 from author/version/description fields.

Utility

  • Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
  • Description present: yes.
  • Command examples detected: 14.
  • Environment variables detected: 6.

Momentum

  • Momentum starts at 45 and uses public repo activity signals.
  • Recent commit activity: latest repo update was 0 day(s) ago.
  • Recent commit volume: 100 commit(s) in the lookback window (+20).
  • Source has strong public adoption: 379781 stars.
  • Fork activity suggests reuse: 79500 forks.

Overall

  • Overall score weights trust 45%, utility 35%, and momentum 20%.

Detected signals

Env vars

  • OPENAI_API_KEY
  • OPENCLAW_LIVE_OPENAI_KEY
  • OPENCLAW_QA_CONVEX_SECRET_CI
  • OPENCLAW_QA_CONVEX_SECRET_MAINTAINER
  • OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN
  • OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN

Commands

  • gh api repos/openclaw/openclaw/actions/runs/<run-id>/artifacts
  • gh run view --json artifacts
  • gh workflow run "NPM Telegram Beta E2E" --repo openclaw/openclaw --ref main -f package_spec=openclaw@YYYY.M.D-beta.N -f package_label=openclaw@YYYY.M.D-beta.N -f provider_mode=mock-openai
  • openclaw-qa
  • pnpm openclaw qa character-eval --model openai/gpt-5.4,thinking=xhigh --model openai/gpt-5.2,thinking=xhigh --model openai/gpt-5,thinking=xhigh --model anthropic/claude-opus-4-6,thinking=high --model anthropic/claude-sonnet-4-6,thinking=high --model zai/glm-5.1,thinking=high --model moonshot/kimi-k2.5,thinking=high --model google/gemini-3.1-pro-preview,thinking=high --judge-model openai/gpt-5.4,thinking=xhigh,fast --judge-model anthropic/claude-opus-4-6,thinking=high --concurrency 16 --judge-concurrency 16 --output-dir .artifacts/qa-e2e/character-eval-<tag>
  • pnpm openclaw qa manual --model codex-cli/<codex-model> --message "Reply exactly: CODEX_OK"
  • pnpm openclaw qa matrix
  • pnpm openclaw qa matrix --profile fast --fail-fast
  • pnpm openclaw qa suite --provider-mode live-frontier --model codex-cli/<codex-model> --alt-model codex-cli/<codex-model> --scenario <scenario-id> --output-dir .artifacts/qa-e2e/codex-<tag>
  • pnpm openclaw qa suite --provider-mode live-frontier --model openai/gpt-5.4 --alt-model openai/gpt-5.4 --output-dir .artifacts/qa-e2e/run-all-live-frontier-<tag>
  • pnpm openclaw qa whatsapp --credential-source convex --credential-role maintainer --provider-mode mock-openai
  • pnpm qa:otel:smoke

URLs

  • http://127.0.0.1:<port

Provenance & evidence

SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.

source
github.com/openclaw/openclaw@main
path
.agents/skills/openclaw-qa-testing/SKILL.md
source blob SHA
01f1d5ee3dc3665c8c91c3403391de8a1824ccb0
scanner version
0.3.0
security model
text_only_no_execute_no_install_no_secrets
scan policy
Fetched and scored as text only; no install, no execution, no runtime loading.

Evidence snippets

credential_or_secret_reference

…validation: `live-frontier` 3. For live OpenAI, use: ```bash OPENCLAW_LIVE_OPENAI_KEY="${OPENAI_API_KEY}" \ pnpm openclaw qa suite \ --provider-mode live-frontier \ --model openai/gpt-5.4 \…

filesystem_write_or_home_access

…fenced `qa-scenario` / `qa-flow` Markdown files. - For isolated character/persona evals, write the persona into `SOUL.md` and blank `IDENTITY.md` in the scenario flow. Use `SOUL.md + I…

network_access

…e user wants to watch the live UI, find the current `openclaw-qa` listen port and report `http://127.0.0.1:<port>`. 6. If a scenario fails, fix the product or harness root cause, then rer…

browser_or_session_access

…aths plus redacted pass/fail summaries. - If WhatsApp expires or invalidates a linked Web session, relink locally, package fresh auth archives, add a new Convex row, then disable the stal…

shell_command

…- mock/dev: `mock-openai` - real validation: `live-frontier` 3. For live OpenAI, use: ```bash OPENCLAW_LIVE_OPENAI_KEY="${OPENAI_API_KEY}" \ pnpm openclaw qa suite \ --provider-mode…

Watch this skill

Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.

Join watchlist beta

Methodology note

SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.

View source SKILL.mdBack to changesView sources