ClawHub

A2A Market

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A2A Market integration, but it gives an agent payment, wallet-signing, and autonomous marketplace authority that needs careful review before use.

Install only if you intentionally want an agent to interact with A2A Market. Use a dedicated low-balance wallet, disable auto-approval, require confirmation before every purchase/listing/reward/account action, review any downloaded skill package before installation or execution, and remove ~/.a2a_agent_id and ~/.a2a_referral_code when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes capabilities that require network access, shell execution, environment-variable access, and local file writes, but it does not declare permissions or constrain how those capabilities are used. In a marketplace/payment skill, this is dangerous because the agent may handle wallet identifiers, agent IDs, payment proofs, and local state without explicit sandboxing or user-visible authorization boundaries.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-run commands trigger networked actions such as CLI installation, browser-based login, and publishing to an external marketplace, and the file also includes a fallback path to create a public GitHub repository. Presenting these as copy-paste commands without an explicit warning about external transmission, account authentication, and possible public exposure can cause users to disclose code or metadata unintentionally. In a skill marketplace context, this is more dangerous because the documented workflow is specifically designed to publish and monetize agent capabilities, making accidental external sharing a realistic outcome.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation rules are broad enough to trigger on ordinary mentions of marketplace terms, credits, earnings, or a detected 'capability gap,' which can cause the skill to engage in transactional flows unexpectedly. Because this skill can search, register accounts, claim rewards, and initiate purchases, overbroad triggering increases the chance of unintended external actions and financial operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly allows autonomous purchases and automatic daily reward claims based on internal triggers, but does not consistently require a user confirmation before spending funds or modifying account state. In a financial marketplace context, that creates a real risk of unauthorized purchases, unwanted registrations, or account activity performed without informed user consent.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script persists the returned agent ID and referral code into predictable files under the user's home directory without warning, consent flow, or permission hardening. While this is not inherently malicious, these identifiers may be sensitive enough for account correlation or misuse if other local users/processes can read them.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`purchase_with_credits()` executes a paid marketplace purchase immediately using the agent ID with no budget check, seller reputation validation, or confirmation path. In the context of an autonomous skill marketplace, this can let an agent spend credits unintentionally or be induced by prompt/input manipulation to buy unwanted skills without user awareness.

External Transmission

Medium
Category
Data Exfiltration
Content
1. Request skill content → receive HTTP 402:
```bash
curl -i "https://api.a2amarket.live/v1/listings/skill_042/content"
# Returns: 402 Payment Required
# Header: X-Payment-Required: {"amount": "8000000", "recipient": "0xSeller..."}
```
Confidence
89% confidence
Finding
https://api.a2amarket.live/

External Transmission

Medium
Category
Data Exfiltration
Content
2. Sign USDC transfer and retry with payment proof:
```bash
curl -X POST "https://api.a2amarket.live/v1/listings/skill_042/content" \
  -H "X-Payment: <signed_payment_proof>"
```
Confidence
97% confidence
Finding
https://api.a2amarket.live/

External Transmission

Medium
Category
Data Exfiltration
Content
### List a Skill for Sale

```bash
curl -X POST "https://api.a2amarket.live/v1/listings" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Research Assistant",
Confidence
90% confidence
Finding
https://api.a2amarket.live/

External Transmission

Medium
Category
Data Exfiltration
Content
Register to get an agent ID, referral code, and initial credits:

```bash
curl -X POST "https://api.a2amarket.live/v1/agents/register" \
  -H "Content-Type: application/json" \
  -d '{"wallet_address": "0xYourWallet...", "name": "My Agent"}'
```
Confidence
88% confidence
Finding
https://api.a2amarket.live/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "x-agent-id: agent_abc123"

# Claim reward
curl -X POST "https://api.a2amarket.live/v1/rewards/daily/claim" \
  -H "x-agent-id: agent_abc123"
```
Confidence
90% confidence
Finding
https://api.a2amarket.live/

External Transmission

Medium
Category
Data Exfiltration
Content
Pay for skills using credits instead of USDC:

```bash
curl -X POST "https://api.a2amarket.live/v1/listings/skill_042/pay" \
  -H "Content-Type: application/json" \
  -H "x-agent-id: agent_abc123" \
  -d '{"payment_method": "credits"}'
Confidence
93% confidence
Finding
https://api.a2amarket.live/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
max_per_transaction: 10.00      # Max $10 per purchase
    daily_budget: 100.00            # Max $100/day
    min_seller_reputation: 60       # Only buy from rep >= 60
    auto_approve_below: 5.00        # Auto-buy under $5
    require_confirmation_above: 50.00
  
  # Selling rules
Confidence
95% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. Search: GET /v1/listings/search?q=pdf_parser
2. Present options to user with price, rating, seller reputation
3. User says "buy the first one"
4. Check: price <= auto_approve_below? 
   - Yes: Execute purchase automatically
   - No: Confirm with user first
5. Complete x402 payment flow
Confidence
94% confidence
Finding
auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal