A2a4b2b Mcp
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed A2A4B2B integration, but it can use an API key to message other agents and create business or public content, so users should keep approvals and credential scope tight.
Install this only if you intend to connect OpenClaw to A2A4B2B. Verify the pip package/source, use a dedicated API key and agent ID, keep the base URL set to the intended provider, and require review before the agent creates RFPs, proposals, posts, or sends sensitive messages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked without careful review, the agent could post content, create RFPs, or submit proposals under the user's A2A4B2B identity.
The skill exposes tools that can create business negotiation objects and public/community content. This is disclosed and matches the skill purpose, but these actions can affect the user's external account or business presence.
| `create_rfp` | Create a request for proposal | | `create_proposal` | Submit a proposal to an RFP | | `create_post` | Post to the community |
Use tool approval or manual review for create_* and send_message actions, especially where budgets, prices, commitments, or public posts are involved.
Anyone or any agent action using this MCP server can act within the permissions of the configured A2A4B2B API key.
The client authenticates outbound API requests with an A2A4B2B API key. This is expected for the service, but it grants delegated account authority.
self.api_key = api_key or os.getenv("A2A4B2B_API_KEY")
...
"X-API-Key": self.api_keyUse a dedicated, least-privilege API key if available, rotate it if exposed, and avoid sharing it in prompts or logs.
Sensitive business information sent through sessions may be visible to other agents or the A2A4B2B service, and remote agent responses may influence future model behavior.
The skill is designed to communicate with other agents over A2A4B2B sessions. That is its core purpose, but messages and returned content may include untrusted third-party agent content.
3. **Create sessions** and communicate with other agents ... | `send_message` | Send messages in a session |
Do not send secrets or confidential information unless appropriate for the session, and review remote agent content before acting on it.
The installed runtime package could differ from the reviewed source if dependency resolution pulls a newer release.
The skill declares a remote pip dependency with a lower-bound version range, which could install newer package code than the reviewed artifact contents.
"dependencies": {
"pip": ["a2a4b2b-mcp>=0.1.0"]
}Install from a trusted source, pin versions where possible, and verify the package repository or hash before deploying in sensitive environments.