Is adityak6798/website-usability-test-nova-act safe?

https://github.com/openclaw/skills/tree/main/skills/adityak6798/website-usability-test-nova-act

71
CAUTION

This skill provides AI-orchestrated website usability testing via Amazon Nova Act and Playwright browser automation. It appears to be a legitimate, functional tool with no evidence of active malicious behavior, prompt injection, or data exfiltration to attacker-controlled infrastructure. However, it carries meaningful privacy and operational risks: the browser automation engine captures full page screenshots and HTML into local trace files (risking sensitive data capture on authenticated pages), nine Python scripts are executed with full OS environment passthrough and were not fully auditable, and all safety guardrails preventing real transactions are enforced only through agent instructions with no technical enforcement. Install only in environments where browser automation, external AWS API calls, and local trace file accumulation are acceptable.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (9)

HIGH Browser automation captures full page content including sensitive data in trace files -25

Nova Act + Playwright records screenshots, full HTML, and AI decisions for every browser step into local trace files (nova_act_logs/). If an authenticated session or internal URL is tested, all visible credentials, PII, internal documents, and confidential data are captured. The skill acknowledges this risk but relies on user discipline to avoid sensitive targets.

HIGH Nine Python scripts execute with full OS environment passthrough — source not fully auditable -20

The skill includes nine Python scripts invoked via subprocess.run() with env={**os.environ, ...}, passing all shell secrets, API tokens, and credentials from the agent's environment. The full source code of these scripts was not provided in the evidence, making it impossible to verify they perform only the documented functions.

MEDIUM Skill reads Nova Act API credential from user home directory -20

The skill's Quick Start code explicitly opens and reads ~/.openclaw/config/nova-act.json to extract the API key. While this is declared behavior, it normalizes credential file access within the agent session and establishes a pattern that could be extended or abused if the agent is misdirected.

MEDIUM Safety guardrails are instruction-only with no technical enforcement -20

The skill's published guarantees (never complete purchases, never create real accounts, never post publicly) are enforced solely by the agent following prompt instructions. No technical controls in the Python scripts prevent the browser from submitting forms or completing transactions. An adversarial website or changed agent context could induce the agent to proceed past the documented safety stops.

MEDIUM Full OS environment passed to subprocess enables credential leakage to scripts -15

The env={**os.environ} pattern in all subprocess.run() calls passes every environment variable — including AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY, DATABASE_URL, and any other secrets set in the shell — directly to the executed Python scripts. If any script is compromised or misbehaves, it has access to all ambient credentials.

MEDIUM SKILL.md uses pervasive imperative directives to control all phases of agent execution -15

The skill uses bold, capitalized, and repeated imperatives ('YOU (the AI agent) must complete ALL 4 phases', 'MANDATORY', 'CRITICAL', '⚠️') to direct the agent's behavior extensively. While the instructions are within the skill's stated scope, this level of agent direction increases the blast radius if malicious content from a tested website injects additional instructions through the raw_response interpretation phase.

LOW Skill explicitly identifies and targets the Claude agent identity -7

The skill repeatedly addresses the agent as Claude by name and uses that knowledge to modify agent behavior (discouraging API calls, encouraging on-agent reasoning). While benign here, this demonstrates agent-identity awareness that is a building block for more targeted manipulation in adversarial variants.

INFO Clean install from official OpenClaw skills monorepo via sparse checkout 0

Installation performed a depth-1 sparse checkout targeting only the specific skill subdirectory from the official skills.git repository. No unexpected network connections or process spawning occurred during install.

INFO Canary file accesses attributed to monitoring framework, not skill 0

Credential canary files were opened and read at pre-install (1771651257) and post-install (1771651278) timestamps. Timing and pattern are consistent with the oathe monitoring framework's own canary initialization and integrity verification. The monitoring system confirmed all files intact with no modification or exfiltration.