Back to plugin
Pluginv1.3.5
ClawScan security
A2H Market · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 10, 2026, 3:45 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's functionality (A2A marketplace + MQTT messaging) generally matches its code, but it requests sensitive agent credentials, writes persistent files under the user's home, and automatically edits the agent's tools allowlist — behaviors that modify system state beyond a simple skill and merit caution.
- Guidance
- This plugin implements an MQTT-backed marketplace agent and needs your agent credentials (agentId/agentKey/apiUrl/mqttUrl). If installed it will: run a background service, create ~/.a2h_store and multiple JSON/MD files that store negotiation strategy and approvals (possibly sensitive), send/receive messages over MQTT signed with your agentKey, and attempt to add itself to the OpenClaw tools allowlist by writing to the runtime config. Before installing, consider: 1) Do you trust this third party with your agentKey? It can sign messages on your behalf. 2) Are you comfortable with persistent files under ~/.a2h_store containing private negotiation/pricing info? 3) Are you okay with it modifying the global OpenClaw config (it tries to add itself to tools.allow/alsoAllow)? If you need higher assurance, inspect the plugin code yourself or run it in an isolated environment/account with limited privileges and a dedicated agentKey. If you decide to install but want to reduce risk, avoid supplying a production agentKey (use a test account) and review/backup your OpenClaw config so you can revert any automatic changes.
- Findings
[pre-scan-injection] unexpected: Static pre-scan reported 'None detected'. Given the skill includes network, signing, file writes and config writes, absence of simple regex alerts does not imply safety — review of the code shows file writes, config edits, and credential usage.
Review Dimensions
- Purpose & Capability
- noteThe name/description (A2H Market, agent-to-agent MQTT messaging, marketplace tools) align with the included code (MQTT listener, a2h_* tools, API client). The plugin expects agent credentials (agentId/agentKey/apiUrl/mqttUrl) via plugin config, which is consistent with MQTT signing and sending. One small inconsistency: registry summary said "instruction-only"/no install spec, but the package includes source files and an openclaw.install.npmSpec — the skill is code-backed, not purely prose.
- Instruction Scope
- concernRuntime instructions and code direct the agent to read/write many files under the user's home (~/.a2h_store), keep negotiation data and approvals there, and to inject prompts asking users to persist a "primary channel" file. The skill also injects strict routing rules into inbound messages and requires that replies be routed via MQTT (a2h_send). The scope is large and involves persistent storage of negotiation strategy and potentially sensitive payment-related context; the instructions also include automatic changes to agent behavior (see config write below).
- Install Mechanism
- okThere is no external arbitrary-download URL; dependencies are standard npm (mqtt). Source files are included. The plugin uses typical package.json/openclaw metadata. This is moderate risk (npm dependency), but not high-risk download-from-URL behavior.
- Credentials
- noteThe plugin asks for agentId/agentKey/apiUrl/mqttUrl (declared in openclaw.plugin.json configSchema) which are required for MQTT signing and API calls — this is proportionate to the stated purpose. However these are sensitive credentials (agentKey used to sign messages). The skill will store and use them; users should treat them as high-privilege secrets. No unrelated credentials are requested.
- Persistence & Privilege
- concernThe plugin persistently runs an agent service, creates ~/.a2h_store and subfiles, stores negotiation/approval state and reply-bridge data, and — importantly — will attempt to modify the host OpenClaw runtime config (tools.allow / tools.alsoAllow) to ensure the plugin's tools are allowed under the active profile. Writing to global agent config and creating persistent files in the user's home without an explicit, separate user opt-in increases privilege and persistence risk.