ClawHub

A2A Marketplace

v2.0.0

AI tool marketplace via AgentForge — discover, compare, and execute tools with automatic billing and trust scoring.

0· 474·0 current·0 all-time
byLê Minh Hiếu@paparusi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe an AI tool marketplace (discover, get schema, execute, check balance). The single declared install (npm package @a2a/openclaw-plugin) is coherent with providing marketplace functionality. However, the SKILL.md does not document how authentication, account linking, or billing credentials are provided even though the skill describes automatic billing and balance checks—this is an unexplained omission.
!
Instruction Scope
Instructions limit the agent to marketplace actions (forge_discover, forge_execute, etc.) and do not request unrelated files or env vars. But the workflow explicitly executes third‑party tools with automatic billing; that implies sending user inputs to external tool providers and financial operations. The SKILL.md gives no guidance on what data may be transmitted, how billing is authorized, or how to limit/exclude sensitive data—this broadens the runtime impact beyond a simple query tool.
!
Install Mechanism
The install is an npm package (@a2a/openclaw-plugin), which is a plausible mechanism for this functionality. However, there is no homepage or source repository listed in the skill metadata, so the package provenance is unknown. Installing an unvetted npm plugin can execute arbitrary code; the manifest provides no verification steps or alternative trusted sources.
!
Credentials
The skill declares no required environment variables or primary credential, yet it offers balance checks and automatic billing. A marketplace plugin typically needs account credentials, API keys, or payment tokens; the absence of any declared auth mechanism is an inconsistency. That could mean the plugin expects implicit platform-level credentials (not documented) or that necessary secrets/permissions are being omitted from the manifest.
Persistence & Privilege
The skill does not request always:true and defaults for autonomous invocation are unchanged. It does not declare config paths or system-wide modifications. Those properties are proportionate; however, autonomous invocation combined with billing-capable marketplace operations increases impact if provenance/auth are unclear.
What to consider before installing
This skill looks like a legitimate marketplace plugin, but several red flags mean you should verify a few things before installing: - Confirm package provenance: locate the @a2a/openclaw-plugin package on a trusted registry or source (npm page, GitHub repo) and review its maintainer, README, and recent releases. Do not install an unpublished/unknown package without review. - Ask how authentication and billing are handled: the SKILL.md mentions automatic billing and balance checks but provides no instructions for supplying API keys, account tokens, or payment methods. Ensure you understand what credentials will be used and where they are stored. - Understand data flows: tools executed via this marketplace will receive the inputs you provide. If you will pass sensitive data, confirm vendor privacy, permitted data retention, and whether you can limit or redact data before execution. - Verify safeguards: check for budget limits, spending alerts, or an explicit opt‑in per execution to avoid unexpected charges. - Test in a safe environment: if possible, run trial calls with non-sensitive inputs and minimal budget, and monitor network/requests during plugin installation. If you cannot verify the plugin's source, authentication method, and billing controls, consider not installing or request a vendor-provided security/privacy document before proceeding.

Like a lobster shell, security has layers — review code before you run it.

ai-toolsvk97aqt8gda9yydvpj0p2znybcd81mzs0latestvk97aqt8gda9yydvpj0p2znybcd81mzs0marketplacevk97aqt8gda9yydvpj0p2znybcd81mzs0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏪 Clawdis

Install

Install A2A Corp pluginnpm i -g @a2a/openclaw-plugin

Comments