← Back to Skills Marketplace
abdelsfane

OpenA2A Security

by Abdel Fane · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
519
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install opena2a-security
Description
Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actio...
Usage Guidance
This skill looks like an on-demand local auditor, but proceed cautiously: (1) The SKILL.md tells the agent to run 'npx hackmyagent' — npx will typically fetch code from the npm registry at runtime, which contradicts the claim 'runs entirely locally' and means remote code could be executed. (2) There is no source/homepage or pinned package/version/checksum provided — you cannot verify the exact code that will run. Recommended next steps before installing/using: a) Verify provenance of 'hackmyagent' (npm package page, repository, maintainer) and prefer a pinned, audited release; b) If possible, vendor the scanner locally (install the package yourself and inspect it) or run the commands manually in a controlled sandbox; c) Run the scanner in an isolated environment (container or VM) and review generated output before allowing any automation to act on it; d) Ask the publisher for a homepage, repository link, and a signed checksum or pinned version; e) If you must run via npx, consider network controls or npm cache use and inspect package contents (npm pack) beforehand. If the author can supply a repository link, pinned version, and checksum, or provide a vendored copy of hackmyagent, the concerns would be largely mitigated.
Capability Analysis
Type: OpenClaw Skill Name: opena2a-security Version: 1.0.0 This skill is designed for security auditing and hardening of OpenClaw installations. Its stated purpose is to scan for vulnerabilities, malware, and credential exposure, which is a legitimate security function. The `SKILL.md` explicitly declares `permissions.network: []`, ensuring no external API calls, and `permissions.exec` is limited to `npx hackmyagent`, which is the open-source security scanner it uses. All instructions for the AI agent are transparent, directly related to security scanning, and lack any evidence of prompt injection, data exfiltration, obfuscation, or other malicious intent. The requested filesystem access to `~/.openclaw` is necessary and appropriate for its stated security auditing purpose.
Capability Assessment
Purpose & Capability
Name/description claim a local security auditor for OpenClaw; the SKILL.md requires node/npx and instructs running a tool called 'hackmyagent', which is coherent with a scanner. However the registry metadata lists no source or homepage despite in-text claims (OpenA2A/opena2a.org), which reduces provenance confidence. The 'runs entirely locally / no external API calls' claim conflicts with using npx to obtain and run a package.
Instruction Scope
Runtime instructions tell the agent to execute commands like 'npx hackmyagent secure ~/.openclaw' and other npx invocations. Those commands will run code obtained at runtime (npx may fetch from npm) and potentially access and report on ~/.openclaw and config files. The SKILL.md explicitly asserts no data leaves the machine, but using npx introduces a network-fetch step not reflected in the frontmatter permissions (network: []). The instructions do not ask for unrelated files or secrets, but the network/download contradiction increases risk.
Install Mechanism
There is no install spec (instruction-only), but the skill relies on npx to fetch and run 'hackmyagent' from the npm ecosystem. Dynamic fetch-and-execute via npx is a non-trivial install/runtime action: it may download arbitrary code at run time and run lifecycle scripts. The SKILL.md does not pin a package version, provide a provenance URL, or a checksum. This is moderate-to-high risk compared with a fully local, vendored scanner.
Credentials
The skill requests no environment variables and only declares filesystem access to ~/.openclaw, which is proportionate for a local OpenClaw audit. There are no requests for unrelated cloud credentials or wide-ranging env secrets. That said, because it executes external code via npx, that external code could request additional access during runtime — which is not captured here.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or agent-wide settings. It appears to be an on-demand audit tool, which is appropriate for its purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install opena2a-security
  3. After installation, invoke the skill by name or use /opena2a-security
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of opena2a-security for OpenClaw. - Adds local security auditing and hardening with no external API calls. - Scans configurations, installed skills, and credentials for vulnerabilities and exposures, including CVE-2026-25253. - Detects malicious skill code, supply chain risks, and improper credential handling. - Provides actionable security recommendations tailored to your setup. - Outputs results in multiple formats (text, json, sarif, html, asp). - Documentation includes step-by-step run instructions and guidance for both users and skill publishers.
Metadata
Slug opena2a-security
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is OpenA2A Security?

Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actio... It is an AI Agent Skill for Claude Code / OpenClaw, with 519 downloads so far.

How do I install OpenA2A Security?

Run "/install opena2a-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenA2A Security free?

Yes, OpenA2A Security is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenA2A Security support?

OpenA2A Security is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenA2A Security?

It is built and maintained by Abdel Fane (@abdelsfane); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments