Trust Assessment
vitonique/a2a-secure:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 33 findings: 14 critical, 12 high, 7 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Dangerous call: subprocess.run().
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 6a6dca62). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings33
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/SKILL.md:19 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:57 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:58 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/send_signed.py:12 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:57 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:58 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:39 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/server.py:211 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:39 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server/server.py:45 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server/server.py:224 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server.py:45 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server.py:224 | |
| CRITICAL | Command Injection in Instant Wake Feature The documentation describes the Instant Wake feature as executing a shell command (`openclaw gateway call wake ...`) that incorporates the message content. Since the server imports `subprocess` and implements this feature, it is highly probable that the message content is interpolated into the shell command insecurely, allowing arbitrary code execution via shell metacharacters. Avoid constructing shell commands with user input. Use the OpenClaw API directly via Python or ensure the message is passed as a separate argument list to `subprocess.run` without `shell=True`. | Unknown | SKILL.md:205 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_secret'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:39 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_message' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:168 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_message' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/send.py:160 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_wake'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/server.py:211 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_secret'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:39 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_message' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:168 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_secret'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server/server.py:45 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_wake'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server/server.py:224 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_secret'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server.py:45 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_wake'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/server.py:224 | |
| HIGH | Path Traversal in Idempotency Key Storage The server uses the user-supplied 'idempotency_key' directly in a file path construction without sanitization. An attacker can supply a key containing '../' sequences to write JSON files to arbitrary locations on the filesystem (e.g., overwriting configuration files or writing to sensitive directories). Sanitize the 'key' variable to ensure it contains only alphanumeric characters or validate that the resulting path is strictly within IDEMPOTENCY_DIR using os.path.abspath. | Unknown | reference/server.py:128 | |
| HIGH | Server-Side Request Forgery (SSRF) in Store-and-Fetch The 'fetch_ref' message type instructs the receiving agent to fetch a URL provided in the payload. The documentation confirms the peer fetches this URL. This allows an attacker to force the agent to make HTTP requests to arbitrary internal or external destinations (SSRF), potentially exposing internal services or cloud metadata. Validate the 'url' in the 'fetch_ref' payload. Ensure it matches the expected peer host and port, or use a strict allowlist of allowed URL prefixes. | Unknown | SKILL.md:165 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/client/send.py:25 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/send.py:23 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/reference/send_signed.py:6 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/send.py:25 | |
| MEDIUM | Unpinned Python dependency version Requirement 'cryptography>=41' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'eth-account>=0.13' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Unknown | /tmp/skillscan-clone-_qegzf28/repo/requirements.txt:3 | |
| MEDIUM | Hardcoded Default Secret The server implementation includes a hardcoded default secret ('your-shared-secret'). If deployed without modification, this allows unauthorized access to the agent's messaging interface. Remove the default secret. Require the secret to be loaded from a secure environment variable or configuration file, and fail to start if it is not set. | Unknown | reference/server.py:30 |
Scan History
Embed Code
[](https://skillshield.io/report/dba55d498057ee4a)
Powered by SkillShield