Firm A2a Bridge
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only A2A bridge, but its real behavior depends on an external MCP extension and it can send task data to other agents or webhooks.
Before installing, verify that you have a trusted version of the referenced MCP extension, use only trusted A2A agent URLs and webhook/callback endpoints, and avoid sending sensitive task content or secrets unless you understand how the external implementation handles them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not function, or may behave differently, depending on which external MCP extension version is installed.
The reviewed package has no code or install spec, so the actual A2A tools and any safety controls depend on an external MCP extension with a version range rather than a reviewed bundled implementation.
requires:
- mcp-openclaw-extensions >= 3.0.0Install the MCP extension only from a trusted source, review or pin its version where possible, and do not rely on unverified safety claims from this instruction-only artifact.
Messages sent through this bridge could be seen or processed by remote agents or webhook receivers you configure.
The skill intentionally enables discovery, task exchange, and push notifications between agents, so task messages and metadata may cross agent or service boundaries.
permettant aux agents de se découvrir mutuellement, d'échanger des tâches, et de recevoir des notifications push
Use only trusted agent URLs and webhook/callback endpoints, and avoid sending sensitive content unless the receiving agent and transport are appropriate.
A misdirected request could send a task to the wrong agent or cancel a task unintentionally.
The documented tools can create remote tasks and cancel running tasks. That is expected for A2A lifecycle management, but mistakes in target URL or task ID could affect the wrong work.
`openclaw_a2a_task_send` Envoie un message/tâche à un agent A2A distant ... `openclaw_a2a_cancel_task` Annule une tâche A2A en cours d'exécution
Confirm the target agent URL, context, and task ID before using send or cancel operations, especially in shared or production environments.
If these values are exposed to the wrong agent, logs, or endpoint, they could be misused for signing or webhook authorization.
The documented interface can receive signing keys and bearer tokens for signed agent cards and push delivery. This is purpose-aligned, and the artifact says the signing key is masked in output, but credential handling is still sensitive.
`signing_key` (str, optional) — Clé de signature (masquée dans l'output) ... `auth_token` (str, optional) — Token Bearer pour la livraison
Provide only scoped tokens or keys, rotate them if exposed, and verify the external MCP implementation does not log or forward secrets unexpectedly.