Axe DevTools
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: axe-devtools Version: 4.0.0 The skill is classified as suspicious due to its reliance on executing `docker run` via `child_process.spawn` in `scripts/axe-mcp.js`. While the script uses a legitimate Docker image (`dequesystems/axe-mcp-server:latest`) and passes arguments safely via JSON, the direct execution of Docker commands is a high-privilege operation. The script also passes `AXE_API_KEY` and potentially `AXE_SERVER_URL` as environment variables to the container. This creates a significant attack surface: a prompt injection against the agent could manipulate these environment variables (e.g., redirecting `AXE_SERVER_URL` to a malicious server) or potentially alter the Docker command itself, leading to unauthorized execution or data exfiltration, even though the current implementation shows no malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can start a Docker container on the user's machine.
The skill runs a local Docker command. This is disclosed and purpose-aligned for the axe MCP wrapper, but it means installing the skill enables local process execution when invoked.
const proc = spawn("docker", dockerArgs, { stdio: ["pipe", "pipe", "pipe"] });Use it only where Docker execution is acceptable, and review the Docker image/source before relying on it in sensitive environments.
Future runs may execute a newer container image than the one the user expected.
The runtime depends on an external Docker image using the mutable latest tag, so the executed server code can change outside the reviewed skill artifacts.
Docker image pulled: `dequesystems/axe-mcp-server:latest`
Prefer pinning a reviewed image version or digest, and verify the publisher before use.
The container can use the user's Axe DevTools subscription and may consume organization credits.
The wrapper reads the user's Axe API key and passes it into the Dockerized MCP server. This is expected for the paid axe service, but it gives the container access to the subscription credential and credits.
const AXE_API_KEY = process.env.AXE_API_KEY; ... "-e", `AXE_API_KEY=${AXE_API_KEY}`Use a rotatable, appropriately scoped API key and monitor credit usage.
Private page URLs or DOM snippets could be included in requests made through the MCP server.
The remediation command sends element HTML, issue text, and optionally a page URL to the MCP tool. SKILL.md discloses AI-powered remediation, but users should treat this as sharing page details with the axe MCP/provider workflow.
const remArgs = { ruleId, elementHtml, issueRemediation }; if (pageUrl) remArgs.pageUrl = pageUrl;Avoid using the remediation tool on confidential pages or sensitive HTML unless that data sharing is acceptable under your organization's policy.