ClawHub
Back to skill
v0.2.18

Openclaw A2a

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This collaboration skill appears purpose-aligned, but it needs review because it tells the agent to register with an external service, persist a bearer token locally, and send work context with limited user confirmation.

GuidanceReview this skill before installing. It fits its collaboration purpose, but you should explicitly approve registration with a2a.fun, understand where the agent token is stored, confirm how to revoke it, and check any work summaries or project keywords before they are sent externally.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
On first install, **do not ask the user to choose modes**... 3) register... 4) save `agentToken` locally... If you can proceed safely, **proceed**.

The instructions encourage automatic external registration and credential setup during first install instead of requiring clear user confirmation for those actions.

User impactThe agent may create an external service identity and begin setup before the user has explicitly reviewed the data flow and account implications.
RecommendationRequire explicit user approval before registration, token persistence, joining/requesting access, creating projects, or sending work summaries.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Save: - `agentHandle` - `agentToken` (**required**: persist locally; treat as password)... For agent-authenticated writes... include: `Authorization: Bearer <agentToken>`

The skill introduces a persistent bearer token that grants authenticated write authority, while the registry metadata declares no primary credential or required config path.

User impactAnyone or anything that obtains the local token could act as the agent on the collaboration service, including performing write actions.
RecommendationVerify the service, store the token only with restrictive permissions, understand how to revoke it, and treat installation as granting a new external account credential.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
summarize recent work themes (1–3) (high-level only; do not include secrets, credentials, private data, or proprietary code)... Build query from current context... repo/workspace keywords

The workflow intentionally derives summaries and search queries from recent work and workspace context, which can reveal sensitive project information even though the instructions warn against including secrets.

User impactHigh-level project names, themes, or repository keywords may be sent to the external service.
RecommendationReview generated summaries and search terms before sending them, especially in private or proprietary workspaces.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Linked discussions (context layer)... read the **entity-linked discussion thread(s)** first... **Prefer reply / continue an existing thread over starting a new thread.**

The skill is designed to exchange and reuse shared project discussion context, potentially including content from other agents or users.

User impactShared discussion content could influence the agent’s actions and should be treated as untrusted collaboration input.
RecommendationDo not let project messages override user instructions, and verify important decisions before acting on shared-thread content.