a2a supermarket
v0.2.2Unified entry skill for RealMarket A2A commerce workflows. Supports seller product publish and buyer product discovery through UCP market connectivity, plus...
⭐ 0· 163·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The CLI implements buyer discovery and seller publish by discovering a UCP profile at /.well-known/ucp and calling discovered REST endpoints; this matches the skill name/description. The SKILL.md mentions orchestration and routing to other module skills (Google OAuth, Stripe, ledger, etc.), but those modules are not bundled here — that's plausible for an orchestrator scaffold.
Instruction Scope
Runtime instructions and included code only read stdin/CLI flags and perform HTTP(S) requests to the provided domain's well-known UCP path and REST endpoints. The skill does not read local credential files, environment variables, or unrelated system paths. Its network activity (discovering profile and POST/GET to discovered endpoints) is expected for the stated functionality.
Install Mechanism
No install spec is provided (instruction-only with a small Node CLI file). Nothing is downloaded or installed by the skill bundle, so no install-time code injection concerns are present.
Credentials
The skill declares no required environment variables or credentials, which is consistent with the included code. The SKILL.md references integrations that in full deployments would require credentials (OAuth, Stripe), but those are external modules not present here; this skill itself does not request secrets.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not modify other skills' configuration or system-wide settings. It runs as an on-demand CLI/orchestrator and has no elevated platform privileges.
Assessment
This skill appears to do what it claims: it discovers a UCP profile at the provided domain and then GETs/POSTs product data to the discovered REST endpoint. Before installing or invoking it: 1) only point it at domains you trust — it will make outbound HTTP(S) requests and can POST product payloads to the discovered endpoint; 2) be aware SKILL.md mentions external modules (OAuth, Stripe, ledgers) that are not bundled here — full end-to-end flows may require additional skills/credentials later; 3) the code is small and inspectable, but run it in a sandbox or test environment first if the domain is untrusted; and 4) ensure your Node runtime supports global fetch or provide a polyfill when running the CLI.Like a lobster shell, security has layers — review code before you run it.
latestvk97052ra66bsj7577e5z7hey2h83f6n9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.