visual-qa Security Report — Trusted | ClawSafe

5 /100

visual-qa

Visual regression testing pipeline for web applications

纯视觉回归测试工具，subprocess 用于合法启动本地开发服务器，无恶意行为发现

Skill Namevisual-qa

Duration52.7s

Enginepi

✓

Safe to install

无需限制使用，可按需部署

Findings 2 items

Severity	Finding	Location
Low	subprocess shell 执行未声明 Priv Escalation capture.py 使用 subprocess.Popen(command, shell=True) 启动本地开发服务器，这是工具合理功能，但未在 allowed-tools 中声明 `process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=cwd, env=env)` → 可选：在 SKILL.md 中声明 shell:WRITE 权限以提高透明度	`scripts/capture.py:65`
Low	依赖无版本锁定 Supply Chain pip install playwright pillow 依赖未指定版本，可能引入供应链风险 `pip install playwright pillow` → 可选：使用 requirements.txt 指定精确版本	`SKILL.md:220`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/capture.py:73 创建输出目录
Network	`READ`	`READ`	✓ Aligned	scripts/capture.py:89 page.goto(url) 访问 URL
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/capture.py:65 subprocess.Popen(shell=True)

4 files · 30.5 KB · 977 lines

Python 3f · 709L Markdown 1f · 268L

├─ ▾ 📁 scripts

│ ├─ 🐍 capture.py Python 277L · 8.4 KB

│ ├─ 🐍 diff.py Python 221L · 7.2 KB

│ └─ 🐍 gate.py Python 211L · 7.3 KB

└─ 📝 SKILL.md Markdown 268L · 7.7 KB

Package	Version	Source	Known Vulns	Notes
`playwright`	`*`	pip	No	无版本锁定
`pillow`	`*`	pip	No	无版本锁定

✓ 纯本地图像处理，无数据外传

✓ 使用 Playwright/Pillow 等成熟开源库

✓ 文档清晰完整，功能与代码一致

✓ 无敏感文件访问、无环境变量遍历

✓ 无网络外传行为