Skills
skills/win4r/openclaw-a2a-gateway/a2a-setup/Gen Agent Trust Hub

a2a-setup

Pass

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads the OpenClaw A2A Gateway plugin from the author's GitHub repository (win4r/openclaw-a2a-gateway).
  • [EXTERNAL_DOWNLOADS]: Fetches the official installation script from Tailscale, a well-known networking service, to establish connectivity between servers.
  • [REMOTE_CODE_EXECUTION]: Executes the Tailscale installation script by piping the remote content directly to the shell (curl | sh), which is the standard installation method for this service.
  • [REMOTE_CODE_EXECUTION]: Uses the Python json.tool module to format JSON data retrieved via curl from a local endpoint for verification purposes.
  • [COMMAND_EXECUTION]: Performs several configuration tasks using the openclaw CLI, npm install for dependency management, and openssl for local generation of security tokens.
  • [COMMAND_EXECUTION]: Provides an attack surface for indirect prompt injection (Category 8) by creating a communication bridge between agents.
  • Ingestion points: The gateway receives incoming JSON-RPC and REST messages from peer agents.
  • Boundary markers: None explicitly implemented in the provided TOOLS.md template.
  • Capability inventory: The agent uses the exec tool to run the a2a-send.mjs script for outbound communication.
  • Sanitization: The skill relies on the underlying @a2a-js/sdk and OpenClaw platform for data handling.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 8, 2026, 03:12 AM