AccessMind

Security checks across malware telemetry and agentic risk

Overview

This accessibility-audit skill has real audit functionality, but it also includes broad browser access, anti-bot/stealth guidance, and local cleanup actions that users should review carefully before installing.

Install only in an isolated browser profile or test environment, and only for sites you are authorized to audit. Avoid using it on sensitive accounts or private internal apps unless you are comfortable with full-page HTML, screenshots, URLs, and behavioral data being stored locally and sent to local AI/gateway services. Do not run the legacy stealth or VoiceOver cleanup scripts on a normal workstation unless you accept the risk of disrupting Chrome sessions and clearing Chrome cache.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (44)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: async def close_all_browsers(self): """Tüm Chrome süreçlerini kapat""" # MacOS subprocess.run(["pkill", "-9", "Google Chrome"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # Chrome Driver subprocess.run(["pkill", "-9", "chromedriver"],
Confidence: 98% confidence
Finding: subprocess.run(["pkill", "-9", "Google Chrome"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: subprocess.run(["pkill", "-9", "Google Chrome"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # Chrome Driver subprocess.run(["pkill", "-9", "chromedriver"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) time.sleep(2) # Kapanmasını bekle
Confidence: 97% confidence
Finding: subprocess.run(["pkill", "-9", "chromedriver"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: async def clear_browser_data(self): """Browser verilerini temizle""" # Cache, cookies, localStorage temizle subprocess.run(["rm", "-rf", os.path.expanduser("~/Library/Caches/Google/Chrome")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
Confidence: 99% confidence
Finding: subprocess.run(["rm", "-rf", os.path.expanduser("~/Library/Caches/Google/Chrome")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises browser-driven accessibility auditing but declares no explicit permissions despite documentation and analyzer evidence indicating file read/write, network access, and shell/script execution. This creates a transparency and policy-enforcement gap: operators may approve or invoke the skill without understanding that it can crawl sites, run local scripts, and write reports or artifacts to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is a professional accessibility audit tool, but the detected behavior set is substantially broader: deep crawling, persistent storage, behavioral export, local LLM/image analysis, and stealth or Cloudflare-bypass-oriented browser behavior. This mismatch is dangerous because it masks high-risk functionality behind a benign auditing description, increasing the chance of unauthorized scraping, data retention, or evasive browsing activity under the guise of accessibility testing.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The document claims all browser operations occur through the managed OpenClaw Browser Tool, yet it also instructs users to run standalone Python scripts from local filesystem paths. This inconsistency weakens the stated security model because direct script execution may bypass sandboxing, logging, and centralized controls that the managed browser path is supposed to provide.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The extension sends full-page screenshots and URLs to local AI services for analysis, which can expose sensitive on-screen information unrelated to accessibility testing. Even though the destination is localhost, this is still data exfiltration to another process, and the broad visual-analysis design exceeds narrowly scoped auditing unless users are clearly informed and consent to it.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code executes in the page context and returns the full document HTML, plus page structure metadata, which may include sensitive tokens, user content, hidden fields, or internal application data. This is broader than necessary for many accessibility checks and materially increases privacy and data-handling risk if the content is later stored, processed, or transmitted.

Scope Creep

Medium

Confidence: 94% confidence
Finding: The manifest grants host access to all URLs, which gives the extension visibility and potential interaction capability across essentially every site the user visits. For an accessibility auditor described as user-invoked, this exceeds least-privilege and increases the blast radius if the extension is compromised or mishandles page data.

Scope Creep

Medium

Confidence: 96% confidence
Finding: Configuring a content script to run on all URLs causes code injection into every visited page, not just pages the user chooses to audit. In this context, the skill is marketed as a professional accessibility testing tool, so always-on execution is broader than necessary and exposes sensitive browsing contexts to unnecessary script access.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document explicitly markets 'Cloudflare Bypass' as a standard advantage of the browser workflow, even though the skill’s stated purpose is accessibility auditing. Normalizing access-control evasion expands the skill beyond legitimate testing and can facilitate unauthorized probing of protected sites.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill description frames the workflow as 'secure scanning' while the best-practices section says the tool automatically bypasses Cloudflare protections using human-behavior simulation. That contradiction is dangerous because it can mislead users into treating evasive behavior as approved and low-risk operational guidance.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The example uses subprocess execution of a local desktop application, which introduces an unnecessary capability for a skill described as an accessibility audit platform. Even as documentation, this normalizes shelling out to host binaries and could lead an agent implementation to invoke local executables on user-controlled paths, expanding attack surface for command execution, unsafe file handling, or abuse of host resources.

Intent-Code Divergence

Low

Confidence: 87% confidence
Finding: The crawler explicitly configures stealth-like settings, disables browser security features such as `--disable-web-security`, and frames this as 'Cloudflare bypass'. In an enterprise browsing tool, this increases risk because pages are loaded with weakened browser protections and the skill is positioned to access potentially untrusted sites, expanding exposure to malicious web content and policy circumvention.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Scriptin merkezine 'Cloudflare Stealth Mode' ve 'bot koruması aşma' yeteneğinin yerleştirilmesi, ilan edilen erişilebilirlik denetimi amacını aşan bir kaçınma/evasion kapasitesidir. Bu tür özellikler hedef sitelerin erişim kontrollerini atlatmak, yetkisiz tarama yapmak ve aracı kötüye kullanım için uygun hale getirmek açısından tehlikelidir; skill bağlamı bunu daha da riskli kılar çünkü kurumsal ve profesyonel denetim kisvesi altında sunulmaktadır.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script is explicitly framed as 'stealth' and as bypassing Cloudflare/bot protections, which is materially inconsistent with the advertised purpose of a secure accessibility audit tool. Even though much of the behavior is currently descriptive/placeholder, embedding evasion-oriented functionality and messaging in an enterprise audit skill normalizes unauthorized anti-bot circumvention and enables misuse against protected targets.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This section documents concrete anti-bot evasion techniques such as human-mimicry, browser fingerprint handling, and session management to get past Cloudflare protections. In the context of an accessibility auditor, these capabilities are unnecessary for normal compliant testing and can be repurposed to access sites that explicitly attempt to block automation.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comments claim secure browser-tool integration while surrounding code and documentation describe stealth scanning and bypass behavior. This mismatch is dangerous because it can mislead reviewers and users into trusting a tool that is actually designed to evade target defenses, reducing scrutiny and increasing the chance of abusive deployment.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill performs destructive local environment cleanup by killing browsers and removing browser data before analysis. Those side effects exceed the expected behavior of an accessibility audit tool and can harm the user's system state without necessity or clear disclosure.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill invokes OS-level commands to manipulate host processes and filesystem state, capabilities far broader than needed for accessibility analysis. This expands the trust boundary significantly: if triggered automatically, the skill can disrupt the host and user workflows in a way inconsistent with its advertised purpose.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The report generator interpolates untrusted values such as page_name, page_url, and many fields from accessibility_tree-derived analysis results directly into HTML without escaping. If any of those fields contain attacker-controlled HTML or script payloads, opening the generated report can trigger stored/local XSS in the analyst's browser, which is especially relevant because this skill processes arbitrary web content and then renders it into a local report.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: An overly broad trigger phrase can cause the skill to activate on general user requests that only loosely resemble accessibility-audit tasks. In a skill with network, filesystem, and script-execution capabilities, accidental invocation increases the chance of unintended site access, crawling, report generation, or other side effects without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Stating that a generic request like 'audit the site' will be handled automatically without trigger constraints is ambiguous and can lead to unintentional activation. Because the skill appears able to browse, crawl, and write outputs, ambiguous auto-activation can cause actions on external targets with insufficient user acknowledgement.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The extension collects detailed page data including full HTML, links, images, and form structure without any user-facing notice in this file. In an enterprise environment, that content can contain confidential business information or personal data, so silent collection creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Screenshots and page URLs are posted to localhost HTTP services without an evident warning or consent flow. Local services are not inherently trustworthy; any process listening on those ports could receive potentially sensitive page content, and plain HTTP on localhost still broadens the trust boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal