Axe DevTools

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed accessibility-testing wrapper that runs Deque's axe MCP server in Docker and uses an Axe API key, with no evidence of hidden persistence or unrelated data access.

Install only if Docker execution and Deque axe MCP network usage are acceptable in your environment. Use a rotatable Axe API key, consider pinning the Docker image to a version or digest, and avoid scanning confidential pages or sending sensitive HTML unless that provider data flow is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger text is broad enough to auto-invoke on many normal UI-development tasks, even when the user did not request external scanning or use of paid/networked tooling. In this context, over-triggering is risky because the skill can lead to Docker execution, API-key use, and network access against supplied URLs, expanding the chance of unintended side effects or data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal