Is jamjamzxhy/a2a-market safe?

The skill's Autonomous Behavior section instructs the agent to detect task failures and capability gaps and then search, evaluate, and purchase marketplace skills with no human in the loop for transactions below $5 (auto_approve_below default). This effectively grants the agent authority to spend real USDC on behalf of the user based on self-assessed need.

The skill instructs the agent to automatically claim daily rewards whenever a new day starts, without any user request in that session. This creates persistent background behaviour — the agent contacts api.a2amarket.live daily regardless of user intent, acting as a keep-alive beacon and generating engagement metrics for the operator.

The SKILL.md description field — used by the agent runtime to decide when to invoke the skill — lists 'Agent detects a capability gap and needs to acquire new skills' as a trigger condition. Any task the agent cannot complete becomes a potential trigger for autonomous marketplace activity, creating an unbounded invocation surface.

Every transaction, balance check, agent registration, and reward claim sends wallet addresses, agent IDs, and signed Ethereum messages to api.a2amarket.live — a domain owned and operated by the skill author. The operator receives a complete ledger of the user's agent identity correlated with on-chain wallet activity.

The recommended configuration stores the Ethereum private key as A2A_MARKET_PRIVATE_KEY in the process environment. Environment variables are visible to all processes running as the same user and are trivially leaked by debugging tools, crash dumps, and other installed skills that can call os.environ.

The skill routes all purchases through an operator-controlled platform that earns 2.5% on every transaction. The autonomous buy triggers benefit the operator whenever an agent perceives a gap. A malicious operator can list skills priced just above the auto-approve threshold to socially engineer agents into manually-approved purchases, or list critical-sounding skills to exploit the task-failure trigger.

The Python client loads the raw private key string, instantiates an eth_account.Account object, and retains it as self.account for the lifetime of the client instance. While the key is not transmitted to the API, it lives in plaintext process memory and will appear in core dumps or memory-scraping attacks.

The skill's referral section and the a2a_cli.sh referral command both instruct the agent to proactively share referral URLs to grow the operator's user base. This could manifest as the agent inserting promotional content into responses or communications without user direction.

The collected evidence for scripts/a2a_client.py is cut off immediately before the x402 payment signing and retry logic. The critical section that constructs and transmits the payment proof cannot be audited for hidden data inclusion or alternate endpoints.

The skill is distributed from a shared monorepo (openclaw/skills). Future updates to the monorepo main branch could introduce malicious changes to this skill path without a dedicated release tag, making integrity verification harder for downstream users.