ClawHub

Openclaw A2a Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin’s remote agent messaging and file handling are disclosed and purpose-aligned, but users should treat it as a network-facing integration with real privacy and credential risks.

Install only if you intend to let OpenClaw communicate with remote agents. Keep API-key authentication enabled unless every machine and user on the network path is trusted, avoid sending secrets or private files unless necessary, handle inbound files as untrusted, and protect generated API keys because they grant access to the inbound A2A endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes sending messages and files over the internet and receiving files that are stored locally, but it does not prominently warn users about privacy, data retention, or the risk of importing untrusted remote content into the local environment. In a plugin that bridges agents and local workspaces, missing safety guidance increases the chance that users expose sensitive data or ingest hostile files without understanding the consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README states that inbound files are saved locally but does not clearly warn that these files originate from remote, potentially untrusted agents and are written into the workspace where other tools or users may access them. In an agent platform, that can enable delivery of malicious payloads, poisoned data, or sensitive-content contamination of the local working environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README says disabling authentication is reasonable for tailnet-only access, but it does not adequately explain that this expands trust to every principal able to reach the tailnet and may permit unauthorized agent interaction if the tailnet is broader than expected. This can lead users to expose powerful message/file interfaces without understanding the security boundary they are relying on.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI prints the newly generated inbound API key in full to stdout immediately after creation. Secrets written to stdout can be captured in shell history, terminal scrollback, CI/CD logs, remote session recording, or other operational logging, exposing the credential to unintended parties and enabling unauthorized access to the A2A endpoint.

VirusTotal

49/49 vendors flagged this plugin as clean.

View on VirusTotal