Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deep Accessibility Analyzer
v1.0.0Performs enterprise-grade WCAG 2.2 accessibility audits with VoiceOver simulation, color contrast, semantic analysis, multi-page crawling, and detailed actio...
⭐ 0· 63·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description claim an enterprise scanner requiring Playwright, VoiceOver integration, AI (Gemini), and optional S3 — yet the registry metadata declares no required binaries, no OS restriction, and no required environment variables or credentials. Reasonable implementations of this capability would require explicit dependencies (node, Playwright, macOS VoiceOver/tooling) and API credentials for a cloud LLM or S3. The lack of those declared requirements is incoherent.
Instruction Scope
SKILL.md instructs running a node script that crawls 40+ pages, captures full-page screenshots, extracts HTML snippets, and produces annotated screenshots and Jira tickets. It also explicitly includes a 'Security Stealth Mode' section with 'Cloudflare/WAF bypass' and 'No automation detection flags' — this is scope creep into evasion and potentially abusive behavior. The instructions imply collection and transmission of page HTML and screenshots (potentially sensitive data) but give no guidance on data handling, consent, or required credentials.
Install Mechanism
There is no install spec even though the SKILL.md expects node, Playwright, Guidepup, and node-color-contrast. An instruction-only skill that requires substantial third-party tooling but doesn't declare how to install it is a mismatch: users would have to infer/perform manual installs, increasing the risk of installing unverified packages. No URLs or trusted release hosts are provided for the referenced components.
Credentials
The skill declares no required environment variables but claims use of Gemini 2.5 Flash (which requires Google/AI Studio credentials), optional S3 storage (AWS keys), and possibly Guidepup licensing or macOS-only tooling. Sensitive credentials are implied but not requested/declared. That omission hides the true credential needs and weakens the ability to review or sandbox the skill safely.
Persistence & Privilege
The skill does not request 'always' persistence and is user-invocable, but the SKILL.md's emphasis on stealth, evasion of automation detection, and potential automated crawling increases the risk if the agent is allowed autonomous invocation. While autonomous invocation alone isn't a disqualifier, combined with the other mismatches and explicit WAF/Cloudflare bypass statements it's a material concern.
What to consider before installing
This skill's documentation claims heavy dependencies and even explicit WAF/Cloudflare evasion, but the published package declares no binaries, no install steps, and no credentials — that's inconsistent and risky. Before installing or using this skill: (1) Ask the publisher for the full install script and a signed source repository (GitHub/GitLab) so you can inspect code and dependencies. (2) Require a list of exact environment variables and why each is needed (e.g., Google AI credentials, AWS keys, Guidepup license). Do not provide cloud API keys or AWS credentials until you can review the code. (3) Verify lawful/ethical handling of 'stealth' functionality — explicit WAF bypass is a red flag and can be illegal or violate terms of service. (4) If you test this, run it in an isolated VM or ephemeral container with no access to production systems or sensitive data. (5) Consider using well-known, audited accessibility tools (axe, Lighthouse, pa11y) unless you can fully validate this project's code and behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk972vs23b5x473w9r1gwpst0hs83g4tb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.