a2a-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt shows generating and embedding bearer tokens into configuration/peer JSON and passing tokens to CLI scripts (e.g., --token, openclaw config set ... "$TOKEN"), which means an agent automating these steps would need to accept and output secret values verbatim, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required TOOLS.md A2A section and the provided scripts (scripts/a2a-send.mjs) cause the agent to auto-discover and fetch remote Agent Cards (e.g., http://<PEER_IP>/.well-known/agent-card.json) and send/receive messages from peer servers, meaning it ingests untrusted third‑party agent responses that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup includes steps that fetch and run remote code — e.g., cloning the plugin repo (git clone https://github.com/win4r/openclaw-a2a-gateway.git followed by npm install) and the Tailscale installer (curl -fsSL https://tailscale.com/install.sh | sh) — both of which are pulled at install/runtime and will execute remote code on the host.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt instructs running privileged installation commands (curl ... | sh) and explicitly uses "sudo tailscale up", and it modifies system/network and service configuration of the running server (installing plugins, changing OpenClaw config, restarting gateway), which requires or encourages elevated privileges and can alter machine state.