qa
Systematically tests web applications to identify bugs and ensure quality, producing structured reports with evidence.
Install this skill
Security score
The qa skill was audited on Mar 17, 2026 and we found 22 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Piping content to bash shell
| 131 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
Curl to non-GitHub URL
| 131 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
Fetch to external URL
| 175 | - API endpoints → test them directly with `$B js "await fetch('/api/...')"` |
Access to hidden dotfiles in home directory
| 26 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 28 | mkdir -p ~/.gstack/sessions |
Access to hidden dotfiles in home directory
| 29 | touch ~/.gstack/sessions/"$PPID" |
Access to hidden dotfiles in home directory
| 30 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
Access to hidden dotfiles in home directory
| 31 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 32 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 35 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with |
Access to hidden dotfiles in home directory
| 56 | **To file:** write `~/.gstack/contributor-logs/{slug}.md` with this structure: |
Access to hidden dotfiles in home directory
| 76 | Then run: `mkdir -p ~/.gstack/contributor-logs && open ~/.gstack/contributor-logs/{slug}.md` |
Access to hidden dotfiles in home directory
| 120 | [ -z "$B" ] && B=~/.claude/skills/gstack/browse/dist/browse |
Access to hidden dotfiles in home directory
| 146 | 1. **Project-scoped test plans:** Check `~/.gstack/projects/` for recent `*-test-plan-*.md` files for this repo |
Access to hidden dotfiles in home directory
| 149 | ls -t ~/.gstack/projects/$SLUG/*-test-plan-*.md 2>/dev/null | head -1 |
Access to hidden dotfiles in home directory
| 556 | mkdir -p ~/.gstack/projects/$SLUG |
Access to hidden dotfiles in home directory
| 558 | Write to `~/.gstack/projects/{slug}/{user}-{branch}-test-outcome-{datetime}.md` |
External URL reference
| 90 | | Target URL | (auto-detect or required) | `https://myapp.com`, `http://localhost:3000` | |
External URL reference
| 131 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
External URL reference
| 180 | $B goto http://localhost:3000 2>/dev/null && echo "Found app on :3000" || \ |
External URL reference
| 181 | $B goto http://localhost:4000 2>/dev/null && echo "Found app on :4000" || \ |
External URL reference
| 182 | $B goto http://localhost:8080 2>/dev/null && echo "Found app on :8080" |