a2a-wallet
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation guide in
INSTALL.mdfor macOS and Linux uses acurl | shpattern to execute a shell script directly from the author's GitHub repository (planetarium/a2a-x402-wallet). - [COMMAND_EXECUTION]: The skill frequently executes the
a2a-walletCLI tool to perform various tasks, including message streaming, payment signing, and authentication. - [EXTERNAL_DOWNLOADS]: The skill downloads the CLI binary and its installation script from the author's GitHub repository. It also references the x402 payment specification from Google's official agentic-commerce repository.
- [DATA_EXFILTRATION]: The skill manages sensitive wallet information, including private keys (indirectly via the CLI), balances, and bearer tokens (
A2A_WALLET_TOKEN). It transmits data and signed payloads to external agent URLs provided by the user or found in agent cards. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface.
- Ingestion points: Processes external agent cards and response metadata provided by remote A2A agents (
SKILL.md). - Boundary markers: No explicit delimiters are used to separate agent-provided data from command-line arguments.
- Capability inventory: The
a2a-wallettool can sign arbitrary messages and process payments, which could be triggered by malicious agent responses. - Sanitization: There is no evidence of sanitization or validation of data received from external agents before it is used in subsequent CLI operations.
Audit Metadata