ClawHub

A2a Client

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says at a high level, but it automatically uses admin-level gateway authentication for ordinary discovery and task operations.

Install only if you control and trust the configured A2A gateway and are comfortable with the skill obtaining admin JWTs automatically. Avoid sending sensitive prompts or results unless the gateway and downstream providers are approved, and prefer a version that uses least-privilege task/discovery tokens instead of /v0/admin/bootstrap.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill exposes shell-based operational capability but does not declare permissions or clearly bound what command execution is expected. In an agent ecosystem, undeclared shell capability weakens policy enforcement and user understanding, making it easier for the skill to perform networked actions or invoke local tools without explicit review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a client for discovery and task routing, but the documentation states it automatically obtains an admin JWT from /v0/admin/bootstrap and accesses admin endpoints. This is a privilege mismatch: a user may authorize routine delegation while the skill actually performs administrative authentication, increasing the blast radius if the skill, gateway, or downstream prompts are abused.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's stated purpose is discovery, but it obtains an admin bootstrap token and uses admin-scoped endpoints to enumerate providers. This unnecessarily expands privilege for a read-style operation and creates a path to administrative access if the script is pointed at a reachable gateway, especially because bootstrap token issuance appears unauthenticated.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Bootstrapping an admin JWT inside a client discovery script is unjustified privilege escalation. Even if only used for listing data, the capability grants administrative authority that could be reused or expanded if the environment, gateway, or script is modified, violating least privilege.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The header comment presents the script as harmless discovery, while the implementation performs privileged administrative authentication and queries admin APIs. This mismatch can mislead operators into executing higher-risk behavior without informed consent, increasing the chance of inappropriate deployment or trust.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script retrieves an admin bootstrap JWT from the gateway and then uses that token for a read-style task lookup. Using an administrative bootstrap mechanism for ordinary client operations violates least privilege and can expose a highly privileged credential to any caller or environment that can run the script, increasing the blast radius if the token is intercepted, logged, or reused.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script is described as a client task-sending utility and even accepts an API key, but it ignores that mechanism and instead calls an administrative bootstrap endpoint to obtain a JWT. That grants elevated privileges beyond the stated purpose, violates least privilege, and can let any user of the script act with admin-level access against the gateway if the endpoint is reachable.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using an administrative bootstrap capability in a routine client-send skill is unjustified and substantially increases blast radius if the script is misused or exposed. In this context, the skill's purpose is only to submit tasks, so embedding privilege escalation to admin authentication is a dangerous design flaw.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not warn that task contents and results are sent to an external A2A gateway and potentially onward to other agents or providers. This can lead users or orchestrators to disclose sensitive prompts, data, or outputs under the mistaken assumption that processing is local or confined to the current agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication section omits a warning that the skill automatically acquires and uses an admin JWT. Silent elevation to administrative credentials is dangerous because operators may not realize they are granting broad gateway privileges, and any compromise, misuse, or prompt-induced action could affect provider listings, agent routing, or other administrative surfaces.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently retrieves an admin JWT from a bootstrap endpoint with no user-facing disclosure or confirmation. Hidden acquisition of privileged credentials is dangerous because operators may not realize they are invoking admin authentication, and the token may be exposed through downstream logging, shell history, or reuse in modified workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently performs network calls, including obtaining an admin JWT and querying task data, without any disclosure or confirmation to the user. In an agent skill context, hidden outbound requests are more dangerous because they can access sensitive infrastructure or task data unexpectedly and may bypass operator awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently retrieves and uses an admin token without making operators aware that highly sensitive credentials are being acquired and then attached to subsequent requests. This increases the risk of accidental misuse, unsafe logging, troubleshooting exposure, or users unknowingly invoking privileged operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal