A2a Protocol
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—communicate with A2A agents—but users should verify the registries, remote agents, dependencies, and any API keys they use.
Before installing, confirm you trust the A2A registry and remote agents you plan to contact, avoid sending sensitive information unless appropriate, use scoped API keys, and install Python dependencies from trusted sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages or task descriptions sent through this skill may be received and processed by remote agents or registries.
The client sends message content to an A2A registry or remote agent endpoint. This is the skill's stated purpose, but it means user-provided content may leave the local environment.
resp = self.session.post(f"{self.registry_url}/a2a/messages", json=data)Use trusted registry URLs and target agents, and avoid sending secrets or sensitive private content unless the remote agent is trusted.
A provided API key may authorize actions such as registering an agent, sending messages, or submitting tasks on the connected service.
The client supports bearer-token authentication. This is expected for an A2A integration, but the API key is authority for the chosen registry or agent service.
if api_key:
self.session.headers["Authorization"] = f"Bearer {api_key}"Use a scoped API key for the intended A2A service and do not provide credentials to untrusted registry URLs.
Users may install whatever package versions are current at install time, and the documented wrapper command may not match the included Python client.
The installation guidance uses unpinned Python packages, and the usage examples reference a PowerShell wrapper even though the provided files include only SKILL.md and a2a_client.py. This is a provenance and reproducibility note, not evidence of malicious behavior.
pip install requests sseclient-py
Install dependencies from trusted sources, consider pinning versions, and use or inspect the included Python client rather than relying on an unprovided wrapper script.