Is marcus20232023/a2a-agent-signup safe?

https://github.com/openclaw/skills/tree/main/skills/marcus20232023/a2a-agent-signup

58
CAUTION

This skill implements a crypto marketplace agent registration wizard that collects user financial identity (blockchain wallet address, profile, service listing) and transmits it to an externally controlled API (a2a.ex8.ca), while hardcoding a $0.01 USDC registration fee payable to the skill author's personal wallet. Beyond the financial extraction, the npm postinstall lifecycle script silently modifies the user's PATH and installs a persistent system command, and the setup script auto-executes the CLI wizard during installation. No credential theft or prompt injection was detected, and all canary honeypot files were reported intact by the integrity check, but the skill's agent-context risk is elevated because an AI agent could autonomously complete the full registration flow — including a blockchain payment — without per-transaction user confirmation.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 48/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 33/100 · 5%

Findings (9)

HIGH Hardcoded payment to skill creator's wallet -35

The registration fee of $0.01 USDC is hardcoded to flow to 0x26fc06D17Eb82638b25402D411889EEb69F1e7C5, explicitly labeled 'Marc's wallet' in both SKILL.md and source. This is disclosed, but constitutes a direct financial extraction from every user who runs this skill. At scale across an agent marketplace this represents significant revenue to the skill author with no service obligation beyond a profile entry on their own API.

HIGH npm postinstall modifies user PATH and installs system command -30

The postinstall npm lifecycle script runs automatically during 'npm install' and silently creates a symlink at ~/bin/a2a-agent-signup and modifies ~/.bashrc to add ~/bin to PATH. This persists beyond the skill's working directory and survives skill uninstallation unless manually cleaned up.

HIGH User financial and identity data transmitted to external API -25

Wallet address, full agent name, bio, specialization, service title, description, price, and currency are transmitted to https://a2a.ex8.ca/a2a/jsonrpc in both createSignupSession and registerAgent calls. A JWT auth token is returned and cached locally. The API operator receives a persistent record of user identity linked to their blockchain wallet.

MEDIUM setup.sh auto-runs CLI wizard during installation -20

The setup.sh script, documented as the standard installation method, calls 'node $SKILL_DIR/index.js' at its conclusion. This immediately launches the interactive signup wizard, which makes network calls (createSignupSession) and could prompt for wallet information or execute transactions before the user has fully reviewed what they are running.

MEDIUM Agent context enables autonomous financial transaction execution -25

Because SKILL.md is injected into agent system prompts, an agent with shell access that is asked to 'register me on the a2a marketplace' could execute the full flow autonomously — including submitting wallet address, profile data, and completing a blockchain payment — without requiring explicit per-step user confirmation of the financial transaction.

MEDIUM Canary files opened and read during monitoring window -15

Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read-accessed. The first batch (1771919315) predates the git clone, consistent with infrastructure setup. The second batch (1771919332) occurs post-install in timing consistent with oathe canary verification. Skill source code does not reference these paths, so attribution to the skill is uncertain, but the accesses cannot be fully excluded.

LOW child_process.exec used for browser launch -8

The browser-launch payment option uses child_process.exec with a constructed URL. The URL is derived from BASE_URL which is computed via URL constructor from API_URL env var, providing some sanitization. Risk is low but exec with string concatenation is a pattern that could be exploited if API_URL is attacker-controlled.

LOW Exchange rate API call to third-party service -5

The skill fetches SHIB and USDC prices from api.coingecko.com during service listing. This exposes user IP and timing metadata to a third party during every signup that includes a service listing.

INFO Only GitHub contacted during clone phase 0

Network monitoring shows the only external connection during git clone was to 140.82.121.4:443 (GitHub HTTPS). No C2 beaconing, no secondary download, no unexpected DNS resolution during install.