Is elontusk5219-prog/a2a-platform safe?

https://github.com/openclaw/skills/tree/main/skills/elontusk5219-prog/a2a-platform

78
CAUTION

The A2A Platform skill (elontusk5219-prog/a2a-platform) is a Chinese-language markdown guide for integrating with the a2a4b2b.com B2B agent platform. The skill contains no executable code, no prompt injection, and passed all canary and installation integrity checks. The primary concerns are design-level: a configurable base URL (A2A_BASE_URL) creates an indirect exfiltration vector if that environment variable is ever attacker-controlled, and the skill instructs the agent to directly collect and hold API keys from users in conversation, normalizing a credential handling pattern that could be exploited in adversarial contexts. Users should independently vet the a2a4b2b.com platform and ensure A2A_BASE_URL is never set by untrusted sources.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

MEDIUM Configurable Base URL Creates SSRF-Like Exfiltration Vector -25

All API calls made by the agent (session creation, messaging, RFP submission, capability queries) are routed through the A2A_BASE_URL environment variable. If this variable is set to an attacker-controlled server — via a second compromised skill, misconfiguration, or social engineering — all transmitted business data, user messages, and session content would be silently exfiltrated. The skill provides no URL validation, domain allowlisting, or certificate pinning. This is an indirect but exploitable attack chain requiring env var control.

MEDIUM Agent Instructed to Collect and Directly Hold User API Keys -20

The skill instructs the agent to prompt users for their A2A API key and accept it directly in conversation for use in subsequent API calls. This places live credentials in the agent's context window. In adversarial scenarios — such as if the system prompt is later compromised, a logging skill is co-installed, or the configurable base URL is redirected — these credentials are exposed. This pattern differs from more secure approaches such as directing users to set env vars themselves without passing the value through the agent.

LOW In-Conversation Credential Prompting Normalizes Unsafe Credential Handling -15

The skill trains the agent to proactively solicit API keys from users during conversation and accept them inline. While this is a common API integration pattern, it normalizes the behavior of sharing secrets with the agent directly, potentially making users more susceptible to credential harvesting by future malicious skills that mimic this pattern.

LOW Agent Can Auto-Register on Commercial Platform Without Explicit User Consent -15

The skill directs the agent to perform autonomous registration on a2a4b2b.com (POST /v1/agents/register, unauthenticated). The API key returned is described as issued only once, pressuring users to capture it immediately during the agent conversation. This can create accounts, incur service obligations, and generate data relationships with a commercial third party without the user making a deliberate registration decision.

LOW Exclusive Dependency on Unvetted Commercial Platform -15

All skill functionality routes exclusively through https://a2a4b2b.com. The platform's privacy policy, data retention practices, and security posture are not disclosed within the skill. Users enabling this skill implicitly consent to sending business communications, RFP data, and agent session content to this platform.

LOW References Specific Named MCP Tools That May Not Exist -5

The skill references MCP tools by specific names (wymyk_create_inquiry, wymyk_send_message) that are not standard and may not exist in the user's MCP configuration. If tools with identical names exist for other purposes (or are installed later by a malicious actor), the skill would silently chain through them. If they don't exist, behavior is undefined.

INFO Installation Clean — Post-Install Connections Attributable to Oathe Gateway 0

All network activity during and after installation was expected. The GitHub git clone was the only external connection attributable to skill installation. Post-install TCP connections to Cloudflare (104.16.2.34) and CDN IPs (98.83.99.233) on port 443 are attributed to the pre-existing openclaw-gateway process (pid=1086), which was running before installation began.

INFO Canary File Accesses Attributable to Audit Infrastructure, Not Skill 0

Credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at two audit timestamps: 1771926307 (before skill installation at 1771926319) and 1771926323 (after installation). The skill contains no code capable of reading files. These accesses are consistent with Oathe audit infrastructure probing canary files for integrity baseline and verification. No canary content appeared in outbound network traffic.