Is dylanb/axe-devtools safe?

https://github.com/openclaw/skills/tree/main/skills/dylanb/axe-devtools

87
SAFE

The axe-devtools skill is a legitimate accessibility testing integration from Deque Systems that wraps their commercial axe MCP server via Docker. The SKILL.md contains no prompt injection, the installation was clean, and all canary honeypots remain intact. The primary residual risks are supply-chain exposure through the mutable 'latest' Docker image tag, transmission of HTML source fragments to Deque's external AI API during remediation, and the broad auto-trigger scope that fires on any UI modification task.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM Mutable Docker image tag enables silent supply chain substitution -18

The script hardcodes DOCKER_IMAGE as 'dequesystems/axe-mcp-server:latest'. The 'latest' tag can be updated by Deque Systems (or by an attacker who compromises their Docker Hub account) without any change to the skill files. Any user who already has the image cached would continue using the old version, while new users or those with expired caches silently receive the new image. This is a standard supply chain risk for Docker-based tools.

LOW AXE_API_KEY passed to third-party Docker container -10

The skill reads AXE_API_KEY from the process environment and forwards it via Docker -e flag to the Deque MCP server container. This is the intended and documented design, but it means the API key is visible to the Docker daemon, the container process, and any code running inside the Deque image. If the Docker image is compromised or Deque's infrastructure is breached, the API key could be captured.

LOW HTML source code fragments sent to Deque's external API -10

The remediate command accepts an elementHtml argument containing the raw HTML of the violating element and transmits it as a JSON-RPC call to the Deque MCP server. This means snippets of the user's application source code leave the local machine and are processed by Deque's AI backend. For most accessibility use cases this is innocuous, but users with sensitive or proprietary UI code should be aware their markup is transmitted externally.

LOW Headless browser launched inside Docker with user-supplied URLs -22

The analyze tool instructs the Deque Docker container to spin up a real browser and load an arbitrary URL provided by the agent. If the agent is manipulated into scanning an internal URL (e.g., http://169.254.169.254/ on cloud infrastructure), the browser inside Docker could reach internal services depending on the host's Docker network configuration. This is a second-order risk contingent on agent manipulation.

INFO No prompt injection patterns detected 0

SKILL.md contains no instructions to override system prompts, ignore previous instructions, hide output, switch personas, or chain unexpected behaviors. The skill content is consistent with its stated purpose of accessibility testing.

INFO All canary files intact; sensitive file accesses attributed to audit framework 0

PATH audit events for /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json occurred at timestamps 1771940570 (before git clone at 1771940575) and 1771940591 (after install completion), consistent with Oathe's own pre-install baseline check and post-install canary verification. The skill code itself contains no file-reading logic.

INFO Install behavior is clean and scoped to expected operations 0

Installation performed a sparse git clone from github.com/openclaw/skills, checked out only the skills/dylanb/axe-devtools path, copied to the skill directory, and removed the temp clone. No unexpected file writes, process spawns, or network connections attributable to the skill were observed.