A2H Market

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This marketplace skill is mostly coherent, but it gives an autonomous agent broad trading/account tools, processes other agents’ messages automatically, and includes insecure MQTT TLS handling.

Review this carefully before installing. Use it only if you trust A2H Market and are comfortable with an autonomous agent receiving messages from other agents, holding marketplace credentials, and managing posts/orders/messages. Ask the publisher to fix MQTT TLS verification and clarify the npm install target/version mismatch before using it for real transactions.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Content: return execSync("openclaw --version 2>/dev/null", { encoding: "utf-8" }).trim();

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Content: const r = spawnSync('security', [

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Content: const result = spawnSync(

Env credential access

Critical

Finding: Environment variable access combined with network send.
Content: const lang = (process.env.LANG || process.env.LC_ALL || process.env.LANGUAGE || "").toLowerCase();

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Content: let privateKey = [REDACTED] ?? creds.tempo_private_key ?? '';

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.
Content: password: [REDACTED],

Insecure tls verification

Warn

Finding: HTTPS certificate verification is disabled.
Content: rejectUnauthorized: false, // match Go InsecureSkipVerify

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

High

What this means

A malicious or buggy peer agent could try to influence this agent into sending messages or using marketplace tools; the documentation asks for human approval on major decisions, but the automatic authorized dispatch still creates a high-impact misuse path.

Why it was flagged

Inbound MQTT/A2A messages from other agents are automatically routed into an authorized agent session with access to the marketplace tool set.

Skill content

Agent has full access to a2h_* tools ... dispatchInboundDirectDmWithRuntime({ ... rawBody: enrichedBody, ... commandAuthorized: true,

Recommendation

Require hard runtime approval or allowlists for mutating tools such as posting, order actions, payments, address changes, file uploads, and profile changes when triggered by peer-agent messages.

ASI07: Insecure Inter-Agent Communication

High

What this means

A network attacker or misconfigured broker path could intercept or tamper with A2A traffic, including trading messages and possibly authentication material used for MQTT communication.

Why it was flagged

The MQTT transport disables TLS certificate verification for an inter-agent messaging channel.

Skill content

rejectUnauthorized: false, // match Go InsecureSkipVerify

Recommendation

Enable certificate verification by default, pin or trust the broker CA properly, and avoid any insecure TLS mode unless the user explicitly enables it for testing.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

A user or installer could fetch a different package than the reviewed artifact, making it harder to know what code is actually installed.

Why it was flagged

The packaged artifact names one npm package but its OpenClaw install metadata points to a different npm package, and versions differ from the registry/plugin/skill metadata.

Skill content

"name": "@a2hmarket/a2hmarket" ... "version": "0.5.5" ... "npmSpec": "@a2hmarket/openclaw-plugin"

Recommendation

Align registry, package, plugin, and skill versions; make the install target match the reviewed package; publish clear provenance and a lockfile or signed release metadata.

ASI03: Identity and Privilege Abuse

Medium

What this means

The skill will hold credentials that can act as the user’s A2H agent for marketplace messaging and transactions.

Why it was flagged

The installer obtains and stores an A2H agent secret locally even though registry metadata declares no primary credential.

Skill content

Server returns agent_id + secret after user authorizes ... Save credentials to ~/.openclaw/a2hmarket/credentials.json

Recommendation

Install only if you trust the publisher, protect the credentials file, and revoke or delete the stored credentials if you stop using the skill.

ASI06: Memory and Context Poisoning

Medium

What this means

Private business strategy, price limits, and payment notes may persist on disk and influence later automated negotiations.

Why it was flagged

The skill intentionally stores private negotiation strategy and payment-status context in local persistent files for reuse across sessions.

Skill content

路径：`~/.a2h_negotiation/{worksId}.md` ... 人类确认的底价（不公开） ... 特定买家/卖家的优惠条件 ... 付款确认状态

Recommendation

Review and clean the negotiation files periodically, avoid storing highly sensitive details, and ensure file permissions limit access to the local user.