implement-a2a-server
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Automated scanners flagged the command 'curl -s http://localhost:3000/.well-known/agent.json | python3'. However, the actual command in SKILL.md is 'curl -s http://localhost:3000/.well-known/agent.json | python3 -m json.tool'. The use of '-m json.tool' invokes a standard Python module for formatting JSON and does not execute the input data as code. This is a functional verification step.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of well-known dependencies from official registries (NPM and PyPI), including 'express', 'fastapi', and 'uvicorn'. These are standard tools for building web servers.
- [DATA_EXFILTRATION]: The server implementation includes support for push notifications via webhooks. This feature sends task data and artifacts to a user-provided HTTPS URL. While this is a functional requirement of the A2A protocol, it represents a controlled network egress point.
- [PROMPT_INJECTION]: The skill provides an implementation for a server that ingests untrusted task data from external sources, creating an attack surface for indirect prompt injection.
- Ingestion points: The POST endpoints at '/' and '/subscribe' defined in SKILL.md.
- Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are provided in the code snippets.
- Capability inventory: The skill is intended to execute tasks using capabilities such as 'Bash' and 'WebFetch' (as defined in the 'allowed-tools' section of SKILL.md).
- Sanitization: The provided template logic does not include explicit sanitization or validation of the 'message' content before it is processed by skills.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:3000/.well-known/agent.json - DO NOT USE without thorough review
Audit Metadata