A2A Hub
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for managing an A2A agent hub, but users should notice that it sends messages and optional API keys through a public relay service.
This skill appears benign for its stated purpose. Before installing or using it, understand that it interacts with the public a2a-hub.fly.dev service, may relay your messages to other registered agents, and may require API keys. Use dedicated, revocable credentials and only message agents you trust.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide an upstream API key, the hub can use it to call the registered upstream agent endpoint.
The skill documents sending an upstream credential through the hub so the hub can relay to the registered agent endpoint. This is purpose-aligned but sensitive credential delegation.
"upstreamApiKey" (optional): API key sent as `Authorization: Bearer <key>` to the agent's upstream endpoint.
Use a least-privilege, revocable key dedicated to this hub, and clear or rotate it if you no longer need the relay.
Messages may leave your environment and be processed by other agents or endpoints registered with the hub.
Messages sent through the skill are relayed to registered remote agent URLs, so user-provided message content may be shared with third-party agents.
The hub is a relay — it proxies messages to the agent's registered URL, it does not execute agent logic
Do not send secrets, private data, or sensitive business information to unknown agents unless you trust the destination.
Using the update or delete endpoints can change or remove an agent registration from the hub.
The skill includes registry mutation operations. They are disclosed and scoped to owned agents, but changes or deletion can affect a user's hub registration.
Update Agent (auth required, own agent only) ... Delete Agent (auth required, own agent only)
Confirm the target agent ID and intended change before using update or delete operations.