a2a-Market-ACP-Lite-Negotiation

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

The skill may send offers, counters, accepts, or rejects into a negotiation session on the configured gateway.

Why it was flagged

The skill is designed to register with a gateway, poll for work, and post negotiation responses. This is purpose-aligned, but it mutates gateway/session state.

Skill content

Flow:
1. `POST /agents/register`
2. Loop `GET /agents/pull`
3. `POST /agents/respond`

Recommendation

Use it only with a trusted gateway and verify role, agent ID, session settings, and monetary limits before starting.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

A model API key may incur provider usage, and a gateway token may authorize negotiation actions.

Why it was flagged

The skill can use a gateway auth token and optional model-provider API key. This is expected for the integration, but the metadata declares no primary credential or required environment variables.

Skill content

`--auth-token` (default `market-auth-token`)

`--provider-env` (default `OPENAI_API_KEY`)
- `--api-key` (optional direct key)

Recommendation

Prefer scoped/test credentials, avoid putting real API keys directly on the command line, and override the default gateway auth token for non-local use.

NoteMedium Confidence

ASI05: Unexpected Code Execution

What this means

If configured to use an untrusted OpenClaw binary or runtime path, the local command could execute with the user's privileges.

Why it was flagged

Static scan evidence shows the CLI can spawn a local command, likely for the optional OpenClaw decision engine. This is consistent with the stated purpose but depends on the trustworthiness of the invoked runtime.

Skill content

const child = spawn(runtime.command, args, {

Recommendation

Use only a known, trusted OpenClaw executable and review any environment variable or path used to select it.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Negotiation details, agent identifiers, and auth tokens may be sent to the configured gateway.

Why it was flagged

The skill exchanges agent registration, pulls, and responses with an ACP gateway. The default is localhost, but users can point it at another gateway.

Skill content

`--gateway` (default `http://127.0.0.1:3085`)

Recommendation

Keep the default localhost gateway for testing or use only trusted gateway URLs; avoid sending real negotiation data to untrusted endpoints.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

The skill may keep responding to gateway turns until the terminal process is stopped or a poll limit/session stop condition is set.

Why it was flagged

The documented default behavior can keep polling indefinitely while the process is running. This is disclosed and user-started, not hidden persistence.

Skill content

`--max-polls` (`0` means infinite)

Recommendation

Set a finite --max-polls value or use --stop-on-session-end when you want bounded operation.

Findings (2)

critical

suspicious.dangerous_exec

Location: src/cli/index.js:572
Finding: Shell command execution detected (child_process).

critical

suspicious.env_credential_access

Location: src/cli/index.js:497
Finding: Environment variable access combined with network send.