B2A
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: b2a Version: 1.0.0 The skill bundle consists entirely of documentation files (`.md`) and a metadata file (`_meta.json`). The content provides conceptual guidance and best practices for building products and services for AI agents (B2A). There are no executable scripts, no instructions for the OpenClaw agent to perform any actions (malicious or otherwise), and no evidence of prompt injection attempts, data exfiltration, unauthorized execution, or persistence mechanisms. The included code snippets are illustrative examples for developers, not commands for the agent to execute. The skill is purely informational and educational.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows this guidance carelessly, an agent could be given authority to spend money or create orders beyond what the user intended.
The skill advises delegated agent spending and payment flows. This is coherent with B2A commerce, but delegated purchase authority is high-impact if implemented without strict authorization.
The agent needs to transact autonomously: ... Pre-authorized budgets (agent has $X to spend)
Use explicit opt-in, least-privilege scopes, spending caps, per-transaction approvals where appropriate, and audit logs.
Autonomous purchasing workflows and lock-in strategies can make users less aware of purchases, alternatives, or incentives influencing an agent.
The guidance discusses reducing human decision points and increasing switching costs. This is disclosed and aligned with the sales strategy topic, but it can undermine user trust if implemented opaquely.
agent reorders without human involvement ... Lock-In Through Integration ... Data dependencies (history, preferences stored with you)
Keep autonomous purchases transparent, disclose incentives and default-vendor status, provide easy opt-out, and allow users to review or change vendors.
Systems built from this advice may collect user and agent identifiers, behavioral analytics, purchase context, or preferences.
The skill recommends tracking identifiers and decision metadata for agent-mediated commerce. This is expected analytics guidance for the stated purpose, but it involves privacy-sensitive persistent data if implemented.
Required Tracking ... agent_id ... user_id ... comparison_set ... decision_time_ms
Minimize collected data, document retention, protect identifiers, obtain appropriate consent, and avoid reusing stored context in ways users would not expect.