accessibility

[Skill Scanner] Backtick command substitution detected This skill is an accessibility audit script and template generator that is internally consistent with its stated purpose. I found no indicators of deliberate malicious behavior (no credential harvesting, no obfuscated payloads, no exfiltration). The primary concern is supply-chain risk: the script installs and runs tools via npm/npx (global and dev installs) without pinned versions or lockfile verification, and executes external CLIs — patterns that can execute remote code at runtime if a package or registry is compromised. This is expected for tooling scripts but increases security risk and requires operator trust. Recommended mitigations: run installs in a controlled environment, prefer pinned versions or package-lock files, avoid global installs when possible, verify tool checksums or use local dev-deps, and review PATH to avoid executing unintended binaries. LLM verification: Functionally benign for its declared purpose: an accessibility auditing helper that uses standard tooling and writes results locally. No signs of data exfiltration or backdoor activity were found. The main security concern is moderate supply-chain risk from unpinned and sometimes global npm installs and runtime npx execution which can fetch and execute remote packages without integrity checks. Treat the package as useful but higher-risk until install and execution behaviors are hardened (pin ver