Skillv2.0.0

ClawScan security

Firm A2a Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 10:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (A2A bridge) matches the actions described, but important security and provenance details are missing or underspecified (SSRF protections, signing key handling, network callbacks and local-file scanning), so proceed cautiously and ask for clarifications before installing.
Guidance: This skill appears to do what it says (A2A bridge) but lacks provenance (no homepage; unknown source) and omits critical security details. Before installing or using it: 1) Ask the author for an implementation reference (repo or docs) and a maintainer identity. 2) Request specifics about the SSRF protections (what URL patterns are blocked, how localhost/internal addresses are handled). 3) Ask how signing keys and webhook auth tokens should be provided and stored (avoid pasting secrets into free-text fields; prefer use of platform-provided secret stores). 4) Clarify safe defaults for discovery (do not allow an unbounded filesystem scan; require an explicit souls_dir). 5) Test in an isolated non-production environment first, and monitor outgoing network calls to ensure callbacks do not exfiltrate sensitive data. If these clarifications are not available, treat the skill as higher-risk and avoid granting it network access or secrets.

Review Dimensions

Purpose & Capability: okThe name and description (A2A bridge for agent discovery, task lifecycle, push notifications, SSE) align with the SKILL.md tools and parameters (card generation/validation, send/status/cancel tasks, push config, discovery). The declared scope matches the functionality described.
Instruction Scope: concernInstructions require reading SOUL.md files and optionally scanning a local directory of SOUL.md files, and they permit sending HTTP requests/webhooks/SSE to arbitrary agent URLs and callback URLs. These behaviors are consistent with the purpose but are security-sensitive. The doc claims SSRF protection without describing how it is enforced, and it does not limit or document safe defaults for local directory scans (souls_dir) or network targets — leaving room for accidental exposure or misuse.
Install Mechanism: okThis is an instruction-only skill with no install spec and no declared binaries, which is low-risk from an installation perspective (nothing is written to disk by an installer).
Credentials: noteNo environment variables or credentials are required, which is proportional. However the tool exposes parameters for a signing_key and auth_token (for webhook delivery) without guidance about where or how to provide/store them securely. The SKILL.md also promises that signing keys are 'masked in the output' but gives no implementation or storage details.
Persistence & Privilege: okThe skill does not request always:true and does not declare any persistent config paths or system-wide modifications. Autonomous invocation is allowed (default), which is normal for skills.