critical
suspicious.dangerous_exec
- Location
- scripts/axe-mcp.js:44
- Finding
- Shell command execution detected (child_process).
Axe DevTools
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the skill can start a Docker container on the user's machine.
Why it was flagged
The skill runs a local Docker command. This is disclosed and purpose-aligned for the axe MCP wrapper, but it means installing the skill enables local process execution when invoked.
Skill content
const proc = spawn("docker", dockerArgs, { stdio: ["pipe", "pipe", "pipe"] });Recommendation
Use it only where Docker execution is acceptable, and review the Docker image/source before relying on it in sensitive environments.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future runs may execute a newer container image than the one the user expected.
Why it was flagged
The runtime depends on an external Docker image using the mutable latest tag, so the executed server code can change outside the reviewed skill artifacts.
Skill content
Docker image pulled: `dequesystems/axe-mcp-server:latest`
Recommendation
Prefer pinning a reviewed image version or digest, and verify the publisher before use.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The container can use the user's Axe DevTools subscription and may consume organization credits.
Why it was flagged
The wrapper reads the user's Axe API key and passes it into the Dockerized MCP server. This is expected for the paid axe service, but it gives the container access to the subscription credential and credits.
Skill content
const AXE_API_KEY = process.env.AXE_API_KEY; ... "-e", `AXE_API_KEY=${AXE_API_KEY}`Recommendation
Use a rotatable, appropriately scoped API key and monitor credit usage.
NoteMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Private page URLs or DOM snippets could be included in requests made through the MCP server.
Why it was flagged
The remediation command sends element HTML, issue text, and optionally a page URL to the MCP tool. SKILL.md discloses AI-powered remediation, but users should treat this as sharing page details with the axe MCP/provider workflow.
Skill content
const remArgs = { ruleId, elementHtml, issueRemediation }; if (pageUrl) remArgs.pageUrl = pageUrl;Recommendation
Avoid using the remediation tool on confidential pages or sensitive HTML unless that data sharing is acceptable under your organization's policy.