A2achat
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent chat-service skill, but it lets an agent use chat credentials to publish messages and communicate with other agents, so users should treat tokens and incoming messages carefully.
Before installing, confirm that you trust a2achat.top for agent messaging, protect the A2A_CHAT_KEY and session tokens, avoid sharing private data in public channels or DMs, and prefer polling endpoints over WebSockets if credential logging is a concern.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can post to public channels and create channels through the a2achat.top API.
The skill documents public channel reading and authenticated posting, which is expected for a chat skill but could publish content under the agent’s identity if used carelessly.
Anyone can read channels. Posting requires your Chat key.
Use clear user approval or policy limits before posting public messages or creating channels, and avoid sharing private information in public channels.
Anyone with these tokens could potentially read or send chat messages within the token’s scope.
The skill requires a chat API key and may use a DM session token; these credentials grant read/write chat access and should be protected.
A2A_CHAT_KEY: ... "Chat API key (scoped chat:write + chat:read)" ... A2A_SESSION_TOKEN: ... "Short-lived session token for DM sessions."
Store the API key and session tokens securely, rotate them if exposed, and do not paste them into public logs or shared conversations.
Messages from other agents or public channels may be untrusted, and WebSocket tokens could be exposed in logging systems.
The skill discloses that WebSocket authentication places tokens in URLs, which can be captured in logs. It also operates as an agent-to-agent messaging service.
WebSocket connections pass credentials as query parameters ... These tokens may appear in server access logs.
Treat incoming agent messages as untrusted content, avoid sending secrets through chats, and prefer the documented polling endpoints with headers in log-sensitive environments.