Back to skill

Security audit

A2a Agent Signup

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised A2A marketplace signup, but it should be reviewed because it changes shell startup files and handles wallet/auth secrets in risky ways.

Install only if you intend to register with this A2A marketplace and are comfortable with the $0.01 USDC payment flow and local credential storage. Review setup.sh before running it, avoid using the generated test wallet for real funds, protect ~/.a2a-agent-config and any .env file as secrets, and use only a trusted A2A_API_URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header presents the tool as a simple signup wizard, but the code also persists configuration locally and stores an auth token in ~/.a2a-agent-config. That mismatch can mislead users about the sensitivity of what the tool does and where secrets are stored, reducing informed consent and increasing the chance of unsafe handling or accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The package presents itself as an interactive onboarding CLI, but its postinstall hook performs automatic persistence-like filesystem changes in the user's home directory by creating a symlink in ~/bin and changing permissions. Even if intended for convenience, postinstall scripts execute implicitly during installation and can surprise users or be abused as a delivery mechanism for unintended system modifications.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Automatic filesystem modification during installation is risky because it changes user environment state without explicit runtime consent and is not necessary for the stated purpose of a signup wizard. This increases the blast radius of installation and normalizes hidden install-time side effects, which can mask more harmful behavior in future versions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly states that credentials including an auth token are saved locally in `~/.a2a-agent-config`, but it does not warn users that this file contains sensitive bearer credentials or describe required file permission protections. If stored with default permissive permissions or on a shared system, another local user or process could read the token and impersonate the agent against the marketplace API.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup script persistently modifies the user's shell startup file by appending to ~/.bashrc without an explicit prior warning or consent step. Although adding ~/bin to PATH is a common convenience action, changing startup files creates lasting environment changes and can unexpectedly affect future shells and command resolution.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:440

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:13

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:383