a2a-executor-patterns
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The asynchronous executor template for TypeScript implements a callback mechanism that sends task results to an arbitrary URL provided in the task's metadata without any validation or whitelisting. Evidence:
templates/async-executor.ts(lines 172-184) performs afetchPOST request to acallbackUrlsourced directly fromtask.metadata. Risk: This functionality allows for the exfiltration of sensitive task results (such as LLM outputs or processed file data) to external attacker-controlled servers and enables Server-Side Request Forgery (SSRF) attacks against internal network resources. - [Prompt Injection] (LOW): The skill's architecture is vulnerable to indirect prompt injection (Category 8). 1. Ingestion points:
A2ATaskparameter and metadata objects intemplates/async-executor.ts,templates/async-executor.py, andtemplates/streaming-executor.py. 2. Boundary markers (absent): No delimiters or instructions are used to distinguish untrusted parameters from system instructions. 3. Capability inventory: Network access viafetch, simulated file processing, and LLM inference. 4. Sanitization (absent): The provided templates do not include validation, escaping, or filtering for input URLs or data payloads.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata