Security Audit

a2a-market

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

a2a-market received a trust score of 39/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 3 medium, and 0 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

71%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

1 finding

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings6

Severity	Finding	Layer	Location
HIGH	Potential data exfiltration: file read + network send Function 'register' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers.	Static	skills/tariqsumatri82/a2a-market-1-1-0/scripts/a2a_client.py:332
HIGH	Shell command injection via cmd_price keywords The `cmd_price` function in `scripts/a2a_cli.sh` constructs a JSON array for keywords by directly echoing user-provided arguments (`$keywords`) into a pipe (`echo "$keywords" \| jq ...`). If `$keywords` contains shell metacharacters or command substitutions (e.g., `$(command)`), these will be executed by the shell before being passed to `jq`. This allows an attacker to inject and execute arbitrary shell commands. Properly escape or sanitize user input before passing it to `echo` or other shell commands, especially when piping to other utilities. A safer approach would be to construct the JSON array directly in Python or use `printf %q` for shell arguments to prevent command substitution. For example, `printf '%s\n' "$keywords" \| jq -R . \| jq -s .` would prevent command substitution, but still might have issues with `jq` if keywords contain newlines. The best approach is to avoid `echo` and shell interpretation for constructing JSON from arbitrary user input.	LLM	scripts/a2a_cli.sh:170
HIGH	LLM required to directly handle private key The `A2AClient` in `scripts/a2a_client.py` requires the `private_key` to be passed directly to its constructor. While the skill's code uses `eth_account` for signing and explicitly states the key is 'never sent to API', requiring the LLM to retrieve and pass a raw private key into its runtime context introduces significant risk. If the LLM's internal memory, logging, or environment is compromised, or if the LLM is inadvertently instructed to log or transmit this value, the private key could be exposed. This grants the LLM direct access to a highly sensitive credential. Implement a secure key management system where the LLM only receives a temporary, scoped token or a reference to a secure enclave operation, rather than the raw private key. The LLM should ideally never directly handle raw private keys. If direct handling is unavoidable, ensure robust input validation and strict isolation of the execution environment.	LLM	scripts/a2a_client.py:40
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/tariqsumatri82/a2a-market-1-1-0/scripts/a2a_client.py:25
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tariqsumatri82/a2a-market-1-1-0/scripts/a2a_cli.sh:13
MEDIUM	Unpinned `npm install -g clawhub` in publish script The `publish.sh` script uses `npm install -g clawhub` without specifying a version. This means that any time the script is run, it will fetch the latest version of the `clawhub` package. If a malicious update is pushed to the `clawhub` package on npm, it could compromise the build or publishing environment, leading to a supply chain attack. While this is a developer script, it's part of the skill package and indicates a potential weakness in the development/publishing process. Pin the dependency to a specific version (e.g., `npm install -g clawhub@1.2.3`) or use a lock file (`package-lock.json`) to ensure deterministic installations. Regularly audit and update pinned dependencies.	LLM	publish.sh:44

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/bd14d7e552e9c27e.svg)](https://skillshield.io/report/bd14d7e552e9c27e)