a2a-sdk-patterns
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [CREDENTIALS_UNSAFE] (SAFE): The skill correctly uses environment variable placeholders (e.g., 'your_api_key_here', 'A2A_API_KEY') in all templates and examples. No hardcoded secrets or sensitive tokens were detected across the 28 files.
- [EXTERNAL_DOWNLOADS] (LOW): Installation scripts (e.g.,
install-python.sh,install-typescript.sh) perform package installations from standard registries (npm, pip, go get). While the 'a2a-protocol' packages are not from the specific 'Trusted Sources' list, they are the legitimate subject of the skill's documentation and do not exhibit suspicious installation patterns like piping to a shell. - [COMMAND_EXECUTION] (SAFE): The skill provides bash scripts for validation and installation. These scripts are transparent, use standard build tools (dotnet, mvn, go, pip), and do not perform any hidden or obfuscated command execution.
- [DATA_EXFILTRATION] (SAFE): No unauthorized network operations or access to sensitive local file paths (like ~/.ssh or ~/.aws) were found. Network operations are limited to standard package management and the documented SDK usage patterns.
- [PROMPT_INJECTION] (SAFE): The skill does not contain instructions that attempt to override agent behavior or bypass safety filters. Instructional text is focused on technical documentation and implementation patterns.
Audit Metadata