ClawHub

A2A Bridge

v1.0.0

Bridge between Google A2A protocol and OADP agent networks. Translate agent cards to OADP signals, discover A2A agents from OADP hubs, register your A2A agen...

0· 412·0 current·0 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description claim to translate A2A↔OADP and the SKILL.md provides concrete instructions to (1) publish an A2A agent card and (2) query/register agents on OADP hubs. No unrelated binaries, env vars, or installs are requested — the declared purpose aligns with the actions described.
Instruction Scope
Instructions are focused on creating/adding .well-known agent metadata and sending HTTP requests to OADP hubs. This stays within the stated bridging purpose, but the instructions explicitly send agent metadata (agent URLs, names, descriptions, capabilities) to an external domain (https://onlyflies.buzz). That outward data flow is expected for a discovery bridge, but it can leak internal URLs/metadata if the user isn't careful.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself; risk from install mechanism is minimal.
Credentials
The skill requires no environment variables, credentials, or config paths. It therefore does not request disproportionate access to secrets or system configuration.
Persistence & Privilege
The skill is not configured as always-on and does not modify other skills or system-wide settings. It does not request persistent privileges beyond normal agent invocation.
Assessment
This skill appears to do what it says: publish an A2A agent card and query/register agents via OADP. Before using it, consider the following: - Trust of the hub: The SKILL.md points repeatedly to https://onlyflies.buzz as the hub endpoint. Verify that the hub is trustworthy, review its privacy and moderation policies, and confirm TLS/certificate validity before posting metadata. - Data you publish: The sample agent.json and registration payload include URLs and descriptive metadata. Do not publish internal or private endpoints, credentials, or any sensitive information in .well-known/agent.json or registration payloads. - Audit what the agent will send: If you have an existing agent, inspect or sanitize the fields (name, url, capabilities, description) before running the provided curl commands. - Consider hosting your own hub or using a vetted registry if you need stronger guarantees about availability, access control, or data retention. If you want higher assurance, ask the skill author/publisher for the hub operator's identity, a privacy policy, and confirmation of the expected data retention and access controls. If that information is unavailable, treat the hub as untrusted and avoid publishing sensitive details.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ew89d0emby4asbbw0eywcjx822r1d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments