qa-web-test
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to manage the local environment for test results, specifically for creating directory structures using 'mkdir -p' to store screenshots and reports.
- [REMOTE_CODE_EXECUTION]: The skill heavily utilizes 'mcp__chrome-devtools__evaluate_script' to execute JavaScript snippets within the browser context. Analysis of the provided snippets shows they are restricted to calculating element dimensions, computing CSS styles, detecting layout overflows, and verifying WCAG contrast ratios. This is the primary and intended function of the web testing skill.
- [CREDENTIALS_UNSAFE]: The skill instructions acknowledge that target pages may require authentication. It follows best practices by instructing the agent to look for credentials in environment variables and explicitly warns to 'never hardcode credentials'.
- [DATA_EXFILTRATION]: While the skill interacts with external URLs and captures screenshots, these actions are performed as part of the core QA testing workflow. There is no evidence of unauthorized data collection or exfiltration to third-party servers.
Audit Metadata