ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Accessibility

v0.1.0

Build WCAG 2.1 AA compliant websites with semantic HTML, proper ARIA, focus management, and screen reader support. Includes color contrast (4.5:1 text), keyboard navigation, form labels, and live regions. Use when implementing accessible interfaces, fixing screen reader issues, keyboard navigation, or troubleshooting "focus outline missing", "aria-label required", "insufficient contrast".

0· 2.7k·22 current·23 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents: comprehensive WCAG 2.1 AA guidance, references, and an 'a11y-auditor' agent that inspects HTML/CSS/JS. The declared requirements (no binaries, no env vars, no install) are proportionate for a documentation/instruction-only accessibility auditor.
Instruction Scope
The SKILL.md and agents/a11y-auditor.md explicitly instruct the agent to read code and run searches (Read, Grep, Glob) over project files (examples use src/ and grep -r). That behavior is coherent for a code/page accessibility audit, but it means the agent will access your repository files when invoked. The instructions do not direct the agent to collect or transmit data to external endpoints, nor do they reference unrelated system secrets.
Install Mechanism
No install spec and no code files with executable install steps—this is instruction-only documentation and thus has a minimal disk/exec footprint.
Credentials
The skill requests no environment variables or credentials (primary credential: none). The only access it needs is to read project files (explicit in the auditor guidance), which aligns with the stated purpose.
Persistence & Privilege
always:false (normal). The auditor agent uses tools that read filesystem content (Read/Glob/Grep). Autonomous invocation is allowed (disable-model-invocation:false), which is standard, but combined with file-reading means the skill can autonomously inspect repository files if triggered. This is expected for an auditor, but be mindful of sensitive files in scope.
Assessment
This skill appears to do what it says: documentation + an auditing agent that reads your code to report WCAG 2.1 AA issues. Before installing or invoking it: 1) Verify the skill origin (plugin.json lists an author and GitHub repo — check that repository if you need provenance). 2) Limit the audit scope when you run it (scan only src/ or specific components) and avoid pointing it at directories that contain secrets, credentials, or private keys. 3) If you require stricter controls, run the guidance locally (inspect SKILL.md and references yourself) or invoke the auditor in a sandboxed environment. 4) Remember the agent will read code files for the audit (intended behavior) — there are no hidden network exfiltration instructions, but file-read access can reveal secrets if present. If you want more assurance, ask the publisher for a canonical homepage/repo link or review the referenced GitHub repository before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0pj3ktpdra2v5d40j7ky15808rrj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments