visual-qa

This visual-qa skill is narrowly scoped to browser-driven visual testing: opening routes, taking screenshots, checking visual heuristics, reporting findings, and optionally applying trivial fixes. There are no obvious malicious network endpoints, embedded payloads, credential harvesting, or download-and-execute chains. The main security concerns are operational: (1) the skill runs shell commands (starts dev server) and uses broad agent-browser tool permissions, which increases risk if untrusted inputs are passed; and (2) the documented ability to auto-fix code inline can lead to unwanted code changes or escalation if not tightly controlled (require explicit user confirmation, limit to dry-run, or restrict edits to a defined file set). Overall I assess this skill as low risk for malicious intent but with moderate operational risk due to autonomous file-modification capability and broad tool permissions. Recommend enforcing explicit confirmation for any code edits, scoping tool permissions, and sanitizing any external inputs used to build shell commands.