中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 18/100
Last scan:2 days ago Rescan
18 /100
a2a-market-acp-lite-negotiation
Gateway-only ACP negotiation skill with optional OpenClaw model-driven turn decisions
A legitimate A2A market negotiation skill with documented gateway-only operation and standard subprocess execution for the optional OpenClaw decision engine, but with some undocumented environmental access and external binary spawning.
Skill Namea2a-market-acp-lite-negotiation
Duration62.4s
Enginepi
Safe to install
Document the OpenClaw subprocess spawning and environment variable reads for API keys. Consider pinning the openclaw binary version rather than using A2A_OPENCLAW_BIN override.

Findings 4 items

Severity Finding Location
Medium
Undeclared environment variable access
Code reads 9 different API key environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) for LLM provider selection. This is not documented in SKILL.md.
const candidates = ['OPENAI_API_KEY', 'ANTHROPIC_API_KEY', 'GOOGLE_API_KEY', ...]
→ Document the API key environment variables in SKILL.md capabilities section
 src/cli/index.js:322
Medium
Undeclared external binary execution
When --decision-engine openclaw is used, the skill spawns an external 'openclaw' binary via child_process.spawn. This is a significant capability not mentioned in documentation.
const { spawn } = await import('node:child_process')
→ Document subprocess execution in SKILL.md with explanation of the OpenClaw engine feature
 src/cli/index.js:439
Low
Custom binary path override via A2A_OPENCLAW_BIN
The skill allows overriding the openclaw binary path via A2A_OPENCLAW_BIN environment variable, enabling execution of arbitrary binaries.
const configured = String(process.env.A2A_OPENCLAW_BIN ?? '').trim()
→ Document this capability and consider restricting the override path
 src/cli/index.js:381
Low
Single-turn mode removed but not prominently documented
The SKILL.md mentions single-turn mode is 'removed' but doesn't clearly communicate this limitation for users expecting that functionality.
Single-turn local decision mode has been removed.
→ Add a prominent deprecation notice for single-turn mode
 SKILL.md:5
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned src/cli/index.js:393 - only fs.existsSync for path checks
Network READ READ ✓ Aligned src/cli/index.js:484-500 - fetch calls to gateway only
Shell NONE WRITE ✗ Violation src/cli/index.js:439 - child_process.spawn used for openclaw
Environment NONE READ ✗ Violation src/cli/index.js:322-333 - reads 9 API key env vars
Skill Invoke NONE ADMIN ✗ Violation src/cli/index.js:439 - spawns openclaw agent binary
Clipboard NONE NONE Not accessed
Browser NONE NONE Not accessed
Database NONE NONE Not accessed
1 findings
🔗
Medium External URL 外部 URL
http://127.0.0.1:3085
SKILL.md:16

File Tree

2 files · 31.2 KB · 1072 lines
JavaScript 1f · 991L Markdown 1f · 81L
├─ 📁 src
│ └─ 📁 cli
│ └─ 📜 index.js JavaScript 991L · 29.1 KB
└─ 📝 SKILL.md Markdown 81L · 2.1 KB

Security Positives

✓ Uses shell: false in child_process.spawn, preventing shell injection attacks
✓ Arguments to spawned process are built internally, not from untrusted external input
✓ No credential exfiltration - API keys are only read for local LLM provider selection
✓ No filesystem write operations beyond existence checks
✓ All network activity limited to configurable gateway endpoint
✓ Single-turn mode explicitly disabled and documented
✓ Clean separation of gateway loop vs local execution paths
✓ No base64, eval, or other obfuscation techniques observed