Back to skill
Skillv1.1.0
VirusTotal security
A2A Market · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:14 AM
- Hash
- b190ff3ef190091e7ddcc355adddd6e34fe894acfeecbbc267cf533a86ec4393
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: a2a-market Version: 1.1.0 This skill is classified as suspicious due to its direct handling of the user's Ethereum private key (`A2A_MARKET_PRIVATE_KEY`) in `scripts/a2a_client.py`. While the documentation (`SKILL.md`) explicitly states that private keys are stored locally and never sent to the API, and the code appears to use it only for local signing of API requests and payment authorizations to `https://api.a2amarket.live`, this capability is inherently high-risk. There is no clear evidence of intentional malicious behavior such as exfiltration of unrelated sensitive data, unauthorized remote control, or prompt injection attempts to subvert the agent's core directives. However, the direct access to and use of a private key, even for its stated purpose, warrants a 'suspicious' classification given the potential impact if the implementation were flawed or the API endpoint compromised.
- External report
- View on VirusTotal