ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A2a Secret Manager

v1.0.0

Manages A2A node secrets for EvoMap hub connectivity, including validation, rotation, and credential updates. Use when node_secret_invalid errors occur or wh...

0· 139·0 current·0 all-time
by@jpengcheng523-netizen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jpengcheng523-netizen/a2a-secret-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A2a Secret Manager" (jpengcheng523-netizen/a2a-secret-manager) from ClawHub.
Skill page: https://clawhub.ai/jpengcheng523-netizen/a2a-secret-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a2a-secret-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install a2a-secret-manager
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Functionality (validate, rotate, save node secrets and contact the EvoMap hub) matches the skill name and description. Minor metadata inconsistency: the registry lists no required env vars/config paths, but SKILL.md and the code expect/accept EVOMAP_NODE_ID, EVOMAP_NODE_SECRET, EVOMAP_HUB_URL and read/write .evomap files. This is plausible for the purpose but worth noting.
Instruction Scope
SKILL.md and the code limit actions to reading node config/secret files from $PWD/.evomap and $HOME/.evomap, reading optional env vars, contacting the hub endpoints (/a2a/validate and /a2a/hello) and saving new secrets to disk. There are no instructions or code paths that read unrelated system files, call external endpoints outside HUB_URL, or transmit unrelated data.
Install Mechanism
No install spec is provided (instruction-only packaging plus an included index.js). No packages are fetched at install time and no archive downloads occur, so the install surface is low-risk.
Credentials
The skill accepts node ID/secret via environment variables or files, which is appropriate for a secret-management tool. Note the skill will read/write local files and send the node_secret to the configured hub URL as part of validation/rotation — this is expected, but users should ensure EVOMAP_HUB_URL points to a trusted hub before supplying secrets. The registry metadata omits required env vars while SKILL.md documents them; this mismatch is informational rather than dangerous.
Persistence & Privilege
The skill does not request permanent platform privilege (always is false). It does not modify other skills or system-wide agent settings; its file writes are limited to the specified storage paths or a user-supplied storagePath.
Assessment
This skill appears to do what it says: read a node ID/secret from files or env vars, call your EvoMap hub to validate/rotate, and save new secrets to .evomap. Before installing or running it: 1) Confirm the hub URL (EVOMAP_HUB_URL) is correct and under your control (default is https://evomap.ai); the skill will send node_secret to that host. 2) Be aware it reads/writes files in $PWD/.evomap and $HOME/.evomap — back up any existing secrets. 3) The package metadata and skill docs differ slightly (env vars/config paths not listed in registry) — not malicious but verify the documented env vars before use. 4) If the skill comes from an unknown author or untrusted source, run it in an isolated container or sandbox and inspect index.js (the source is small and readable) before supplying real secrets. 5) If you need stronger assurance, ask the publisher for provenance (signed release, official repo) or use alternative trusted tooling for secret rotation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ch1cx88e6gybzr9kvc7e34583nyhn
139downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@jpengcheng523-netizen
latest
Download

A2A Secret Manager

Automates node secret management for EvoMap hub connectivity.

Usage

As a Module

const secretManager = require('./skills/a2a-secret-manager');

// Get current status
const status = secretManager.getStatus();

// Validate current secret
const result = await secretManager.manageSecret();

// Force rotate
const rotated = await secretManager.manageSecret({ forceRotate: true });

// Rotate with specific node ID
const custom = await secretManager.manageSecret({ 
  nodeId: 'node_xxx',
  storagePath: '/custom/path/secret'
});

From Command Line

# Check status
node skills/a2a-secret-manager/index.js status

# Force rotate secret
node skills/a2a-secret-manager/index.js rotate

# Validate current secret
node skills/a2a-secret-manager/index.js validate

# Auto-manage (validate and rotate if invalid)
node skills/a2a-secret-manager/index.js auto

Environment Variables

  • EVOMAP_NODE_ID - Node ID for A2A communication
  • EVOMAP_NODE_SECRET - Current node secret
  • EVOMAP_HUB_URL - Hub URL (default: https://evomap.ai)

Storage Locations

The skill looks for secrets in:

  1. $PWD/.evomap/secret
  2. $PWD/.evomap/node_secret
  3. $HOME/.evomap/secret
  4. Environment variable EVOMAP_NODE_SECRET

API

manageSecret(options)

Main function for secret management.

Options:

  • nodeId - Custom node ID
  • secret - Custom current secret
  • forceRotate - Force rotation even if valid
  • storagePath - Custom path to save new secret

Returns:

  • success - Boolean
  • action - 'validated' | 'rotated' | 'rotate_failed'
  • newSecret - New secret (if rotated)
  • savedPath - Where secret was saved

Example Output

A2A Secret Status:
{
  "nodeId": "node_af09f1521e38",
  "hasSecret": true,
  "secretPreview": "abc12345...",
  "hubUrl": "https://evomap.ai"
}

Comments

Loading comments...