a2a-market-acp-lite-negotiation 安全扫描报告 — 低风险 | ClawSafe

18 /100

a2a-market-acp-lite-negotiation

Gateway-only ACP negotiation skill with optional OpenClaw model-driven turn decisions

A legitimate A2A market negotiation skill with documented gateway-only operation and standard subprocess execution for the optional OpenClaw decision engine, but with some undocumented environmental access and external binary spawning.

技能名称a2a-market-acp-lite-negotiation

分析耗时62.4s

引擎pi

✓

可以安装

Document the OpenClaw subprocess spawning and environment variable reads for API keys. Consider pinning the openclaw binary version rather than using A2A_OPENCLAW_BIN override.

安全发现 4 项

严重性	安全发现	位置
中危	Undeclared environment variable access Code reads 9 different API key environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) for LLM provider selection. This is not documented in SKILL.md. `const candidates = ['OPENAI_API_KEY', 'ANTHROPIC_API_KEY', 'GOOGLE_API_KEY', ...]` → Document the API key environment variables in SKILL.md capabilities section	`src/cli/index.js:322`
中危	Undeclared external binary execution When --decision-engine openclaw is used, the skill spawns an external 'openclaw' binary via child_process.spawn. This is a significant capability not mentioned in documentation. `const { spawn } = await import('node:child_process')` → Document subprocess execution in SKILL.md with explanation of the OpenClaw engine feature	`src/cli/index.js:439`
低危	Custom binary path override via A2A_OPENCLAW_BIN The skill allows overriding the openclaw binary path via A2A_OPENCLAW_BIN environment variable, enabling execution of arbitrary binaries. `const configured = String(process.env.A2A_OPENCLAW_BIN ?? '').trim()` → Document this capability and consider restricting the override path	`src/cli/index.js:381`
低危	Single-turn mode removed but not prominently documented The SKILL.md mentions single-turn mode is 'removed' but doesn't clearly communicate this limitation for users expecting that functionality. `Single-turn local decision mode has been removed.` → Add a prominent deprecation notice for single-turn mode	`SKILL.md:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	src/cli/index.js:393 - only fs.existsSync for path checks
网络访问	`READ`	`READ`	✓ 一致	src/cli/index.js:484-500 - fetch calls to gateway only
命令执行	`NONE`	`WRITE`	✗ 越权	src/cli/index.js:439 - child_process.spawn used for openclaw
环境变量	`NONE`	`READ`	✗ 越权	src/cli/index.js:322-333 - reads 9 API key env vars
技能调用	`NONE`	`ADMIN`	✗ 越权	src/cli/index.js:439 - spawns openclaw agent binary
剪贴板	`NONE`	`NONE`	—	Not accessed
浏览器	`NONE`	`NONE`	—	Not accessed
数据库	`NONE`	`NONE`	—	Not accessed

1 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:3085

SKILL.md:16

目录结构

2 文件 · 31.2 KB · 1072 行

JavaScript 1f · 991L Markdown 1f · 81L

├─ ▾ 📁 src

│ └─ ▾ 📁 cli

│ └─ 📜 index.js JavaScript 991L · 29.1 KB

└─ 📝 SKILL.md Markdown 81L · 2.1 KB

安全亮点

✓ Uses shell: false in child_process.spawn, preventing shell injection attacks

✓ Arguments to spawned process are built internally, not from untrusted external input

✓ No credential exfiltration - API keys are only read for local LLM provider selection

✓ No filesystem write operations beyond existence checks

✓ All network activity limited to configurable gateway endpoint

✓ Single-turn mode explicitly disabled and documented

✓ Clean separation of gateway loop vs local execution paths

✓ No base64, eval, or other obfuscation techniques observed