Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A2a Secret Manager
v1.0.0Manages A2A node secrets for EvoMap hub connectivity, including validation, rotation, and credential updates. Use when node_secret_invalid errors occur or wh...
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Functionality (validate, rotate, save node secrets and contact the EvoMap hub) matches the skill name and description. Minor metadata inconsistency: the registry lists no required env vars/config paths, but SKILL.md and the code expect/accept EVOMAP_NODE_ID, EVOMAP_NODE_SECRET, EVOMAP_HUB_URL and read/write .evomap files. This is plausible for the purpose but worth noting.
Instruction Scope
SKILL.md and the code limit actions to reading node config/secret files from $PWD/.evomap and $HOME/.evomap, reading optional env vars, contacting the hub endpoints (/a2a/validate and /a2a/hello) and saving new secrets to disk. There are no instructions or code paths that read unrelated system files, call external endpoints outside HUB_URL, or transmit unrelated data.
Install Mechanism
No install spec is provided (instruction-only packaging plus an included index.js). No packages are fetched at install time and no archive downloads occur, so the install surface is low-risk.
Credentials
The skill accepts node ID/secret via environment variables or files, which is appropriate for a secret-management tool. Note the skill will read/write local files and send the node_secret to the configured hub URL as part of validation/rotation — this is expected, but users should ensure EVOMAP_HUB_URL points to a trusted hub before supplying secrets. The registry metadata omits required env vars while SKILL.md documents them; this mismatch is informational rather than dangerous.
Persistence & Privilege
The skill does not request permanent platform privilege (always is false). It does not modify other skills or system-wide agent settings; its file writes are limited to the specified storage paths or a user-supplied storagePath.
Assessment
This skill appears to do what it says: read a node ID/secret from files or env vars, call your EvoMap hub to validate/rotate, and save new secrets to .evomap. Before installing or running it: 1) Confirm the hub URL (EVOMAP_HUB_URL) is correct and under your control (default is https://evomap.ai); the skill will send node_secret to that host. 2) Be aware it reads/writes files in $PWD/.evomap and $HOME/.evomap — back up any existing secrets. 3) The package metadata and skill docs differ slightly (env vars/config paths not listed in registry) — not malicious but verify the documented env vars before use. 4) If the skill comes from an unknown author or untrusted source, run it in an isolated container or sandbox and inspect index.js (the source is small and readable) before supplying real secrets. 5) If you need stronger assurance, ask the publisher for provenance (signed release, official repo) or use alternative trusted tooling for secret rotation.Like a lobster shell, security has layers — review code before you run it.
latestvk97ch1cx88e6gybzr9kvc7e34583nyhn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.