a11y-ally
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands to install dependencies via
npm, execute generated JavaScript files vianode, and process media withffmpeg. It also executes browser automation using/usr/bin/chromiumwith the--no-sandboxflag, which reduces browser isolation security. - [REMOTE_CODE_EXECUTION]: The skill dynamically generates several JavaScript files (e.g.,
multi-tool-scan.js,parallel-audit.js,crawl-audit.js) at runtime and executes them using thenodeenvironment. This pattern of code generation and execution is a known risk for arbitrary code injection if templates are manipulated. - [EXTERNAL_DOWNLOADS]: The skill uses
curlto download video files from arbitrary URLs discovered on target web pages for accessibility analysis. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the web (HTML, video metadata) and uses an LLM to generate remediation code and descriptions. Malicious content on a scanned site could attempt to influence the agent's behavior or outputs.
- Ingestion points: Web page navigation (
mcp__vibium__browser_navigate) and video downloads (curl). - Boundary markers: None explicitly implemented to isolate untrusted content during LLM analysis.
- Capability inventory: Subprocess execution (
node,npm,curl,ffmpeg), filesystem writes (fs.writeFileSync), and network access. - Sanitization: No significant sanitization of external content before processing or interpolation into prompts.
Audit Metadata