Skills
skills/vanman2024/ai-dev-marketplace/a2a-patterns/Gen Agent Trust Hub

a2a-patterns

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The scripts/consume-agent.sh utility is vulnerable to code injection. The script fetches a JSON 'Agent Card' from a remote, user-provided URL and uses the values (such as the agent's URL and name) to generate a new Python file via shell heredocs. An attacker hosting a malicious agent.json can inject Python code into the url or name fields (e.g., "); import os; os.system('...'); #) which will then be executed when the user runs the generated client.
  • Evidence: Lines 58-100 in scripts/consume-agent.sh show untrusted variables $AGENT_NAME and $AGENT_ENDPOINT being written directly into a .py file.
  • [PROMPT_INJECTION] (HIGH): The templates for A2A clients (e.g., templates/a2a-client.py and templates/multi-agent-orchestration.py) are vulnerable to Indirect Prompt Injection. Metadata from remote agents (name and description) is fetched and interpolated directly into the system instructions of the local agent without sanitization or boundary markers.
  • Ingestion points: A2ACardResolver.resolve() in templates/a2a-client.py.
  • Boundary markers: Absent; untrusted strings are placed directly inside the instructions block.
  • Capability inventory: Agents possess the send_task tool, allowing them to make network requests and interact with other agents or backend services (e.g., payment/inventory tools in the e-commerce example).
  • Sanitization: None detected.
  • [COMMAND_EXECUTION] (MEDIUM): The scripts/expose-agent.sh script executes sensitive deployment commands (gcloud run deploy, kubectl apply) based on command-line arguments. If these scripts are used in automated environments where parameters like --agent-name are derived from untrusted sources, they could facilitate command injection or unauthorized deployments.
  • [EXTERNAL_DOWNLOADS] (LOW): Multiple scripts (scripts/consume-agent.sh, scripts/validate-a2a.sh) perform network operations to fetch JSON metadata from arbitrary remote endpoints. This behavior is documented and intended but serves as the delivery vector for the aforementioned RCE and Injection vulnerabilities.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 06:03 AM