Back to skill
Skillv2.0.0
VirusTotal security
Firm A2a Bridge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:48 AM
- Hash
- fafce7724ddd45e8ca06d04a73eae64253ef7b340f2f1a4139e7b45d4cab31a5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: firm-a2a-bridge Version: 2.0.0 The skill is classified as suspicious due to its extensive capabilities involving network communication and local file system access, which inherently carry high risks. Specifically, tools like `openclaw_a2a_task_send`, `openclaw_a2a_push_config`, `openclaw_a2a_subscribe_task`, and `openclaw_a2a_discovery` (all described in SKILL.md) perform network requests to arbitrary URLs, while `openclaw_a2a_card_generate` and `openclaw_a2a_card_validate` access local files. Although the `SKILL.md` documentation claims robust security measures such as SSRF and path traversal protection, these are claims without code verification. A vulnerability in the implementation of these protections could lead to critical issues like data exfiltration or arbitrary file access, classifying it as suspicious rather than benign, but without clear evidence of intentional malicious behavior.
- External report
- View on VirusTotal