accessibility
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Command Execution: The skill uses a Python wrapper in
scripts/scan.pyto execute the axe-core accessibility scanner. - The execution is performed via
subprocess.run()using a list of arguments rather than a raw shell string, which is a recommended practice to prevent shell injection vulnerabilities. - The
targetparameter (a URL or file path) is passed as a positional argument to the external command. - External Code Execution: The script uses the
npxutility to fetch and run@axe-core/clifrom the npm registry. - This pattern involves downloading and executing code at runtime. Use of the
--yesflag allows the command to proceed without interactive confirmation. @axe-core/cliis a widely recognized and well-known tool for accessibility auditing maintained by established providers.- Dynamic Module Loading: The test suite included with the skill (
tests/fuzz_harness.py) utilizesimportlib.import_module()to load the scanner logic for testing purposes. - This is a standard pattern for test harnesses and fuzzing targets and does not affect the primary execution path of the skill.
- Indirect Input Handling: The skill ingests user-supplied targets (URLs or local files) to perform audits.
- This represents an attack surface where a malicious URL could be scanned. The risk is primarily handled by the underlying auditing engine, but it is a consideration when providing the skill with access to local files.
Audit Metadata