ClawHub
Back to skill

Security audit

A2a Server

Security checks across malware telemetry and agentic risk

Overview

This skill is an A2A listener as advertised, but it exposes high-impact remote task handling that can run local commands or forward task content with weak default boundaries.

Install only in a controlled environment. Require a strong A2A_GATEWAY_API_KEY, bind to localhost or a private interface, avoid A2A_OPENCLAW_COMMAND, prefer argument-safe local invocation, do not point A2A_OPENCLAW_URL at untrusted endpoints, and treat listener logs as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = cmd.replace("{session_id}", session_id.replace('"', '\\"'))
        log(f"INVOKING COMMAND: {cmd[:300]}")
        try:
            result = subprocess.run(
                cmd, shell=True, capture_output=True, text=True, timeout=timeout_secs
            )
            if result.returncode != 0:
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout_secs )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents capabilities to read environment/configuration, access files, open network listeners, and invoke shell commands, but does not declare corresponding permissions. This creates a trust and review gap: operators may enable the skill without understanding that it can expose a service and execute local commands on inbound requests.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This listener is explicitly designed to process inbound network tasks, and one supported processing mode is arbitrary shell-command execution using attacker-supplied message content. In the skill context, that makes the issue more dangerous because the service is a remotely reachable entry point, and authentication can also be disabled if no API key is set.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code can forward full inbound task content to an arbitrary configured HTTP endpoint, which creates a real data-exposure channel. In an agent-listener skill this is contextually sensitive because received tasks may contain prompts, secrets, or internal data, and the forwarding happens automatically without per-request approval.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly states that if `A2A_GATEWAY_API_KEY` is empty, authentication is disabled, yet it does not prominently warn users that this exposes an inbound task execution endpoint. In this skill's context, the listener can trigger local OpenClaw/CLI execution for received tasks, so unauthenticated network access could allow unauthorized remote task submission and abuse of agent capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The listener logs inbound content and metadata directly, which can expose sensitive prompts, credentials, or personal data to local logs and log aggregation systems. Because this service handles tasks from other agents, those payloads may routinely contain confidential information, making indiscriminate logging risky.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Configured HTTP forwarding transmits task content to an external service without any user-facing disclosure or consent mechanism. In this listener context, tasks may originate from trusted internal workflows, so silent external transmission materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sources a local or sibling configuration file directly with `source`, which executes arbitrary shell code in the current process rather than merely parsing key/value settings. Because those files also control sensitive runtime values such as API keys and command settings, a modified config can execute commands at startup and influence how the listener is launched, making this a genuine code-execution and trust-boundary issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.