ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

a2a-Market-UCP-Broadcast

v0.2.0

Implement UCP broadcast of buyer intents to eligible nodes, including message signing, routing, and ack handling. Use when building universal commerce protoc...

0· 211·0 current·0 all-time
by@luoqianchenguni-max

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for luoqianchenguni-max/a2a-market-ucp-broadcast.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "a2a-Market-UCP-Broadcast" (luoqianchenguni-max/a2a-market-ucp-broadcast) from ClawHub.
Skill page: https://clawhub.ai/luoqianchenguni-max/a2a-market-ucp-broadcast
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a2a-market-ucp-broadcast

ClawHub CLI

Package manager switcher

npx clawhub@latest install a2a-market-ucp-broadcast
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md goals (intent payloads, signing, broadcast, ack collection) are consistent with a UCP broadcast helper. However the SKILL.md asserts a local 'runtime' implementation and test paths (runtime/src/..., npm test) while this published bundle contains no code or install spec — suggesting either missing artifacts or that the skill depends on out-of-band code.
!
Instruction Scope
The instructions specify signing (sign_intent(intent, private_key)) and runtime behavior but do not describe how private keys are stored/obtained, nor do they constrain where the agent should look for code or run tests. That leaves scope for the agent or integrator to locate sensitive keys or external code at runtime without guidance.
Install Mechanism
This is an instruction-only skill with no install spec and no binaries to download or extract — low installation risk. The lack of an install step is coherent with the absence of code, but exacerbates the issue that expected runtime artifacts are missing.
!
Credentials
No environment variables, credentials, or config paths are declared, yet core functionality requires signing with a private_key. The skill should declare how signing keys are provided (env var, secret store, config path). The omission is disproportionate and could lead to ad-hoc handling of sensitive keys.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence; it cannot force inclusion on every agent run. There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
Proceed cautiously. The SKILL.md describes message signing and references a local runtime implementation and tests, but this package contains no code or declared secrets/env vars for private keys. Before installing: (1) ask the publisher to provide the referenced runtime code or a clear install spec; (2) require an explicit, minimal method for providing signing keys (for example, a single declared env var or secret-store path) and documentation for key management; (3) verify the provenance of any external runtime package and review its tests; (4) avoid supplying private keys to the agent directly — prefer a secret store or scoped key with limited privileges; and (5) if you still want to try it, run the implementation and tests in an isolated environment and inspect network behavior to ensure broadcasts go only to intended endpoints. These inconsistencies (missing code and undeclared key handling) are the main reason this is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6xx5sh0gf0jrynrbq1mwbd837d8y
211downloads
0stars
2versions
Updated 22h ago
v0.2.0
MIT-0
@luoqianchenguni-max
latest
Download

a2a-Market UCP Broadcast

Define the transport and protocol shell for intent broadcast in UCP.

Current status: framework release for registration. Prioritize interoperability contracts over optimization.

Scope

  • Build intent payload schema and canonical signing routine.
  • Broadcast to eligible nodes and track delivery acknowledgements.
  • Feed response stream into quote intake service.

Suggested Project Layout

  • app/protocol/ucp/intent_message.py
  • app/protocol/ucp/signer.py
  • app/application/services/broadcast_service.py
  • app/infrastructure/ws/ucp_gateway.py

Minimum Contracts (MVP P0)

  1. build_intent(payload) normalizes and version-tags message.
  2. sign_intent(intent, private_key) returns detached signature object.
  3. broadcast(intent_id, target_nodes) returns dispatch receipt ids.
  4. collect_acks(intent_id, timeout_ms) returns per-node ack status.

Event Mapping

  • Emit INTENT_CREATED before dispatch.
  • Emit INTENT_BROADCASTED after fan-out completes.
  • Emit NODE_RESPONDED when quote/ack arrives.

Guardrails

  • Keep canonical JSON serialization deterministic for signing.
  • Record per-node retry counters and stop after configured threshold.
  • Attach protocol version in every envelope.

Implementation Backlog

  • Add adaptive node selection based on reputation percentile.
  • Add dead-letter handling for nodes with repeated timeouts.

Runtime Implementation

  • Status: implemented in local runtime package.
  • Primary code paths:
  • runtime/src/protocol/ucp-client.js
  • runtime/src/application/market-agent.js
  • Validation: covered by runtime/tests and npm test in runtime/.

Comments

Loading comments...