a2a-wallet
Warn
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive cryptographic private keys stored on the local filesystem at
~/.a2a-wallet/. The documentation explicitly states that these keys are stored in a plain-text format and acknowledges that they are accessible to the agent runtime. - [REMOTE_CODE_EXECUTION]: The installation instructions for macOS and Linux systems recommend fetching a shell script from the vendor's GitHub repository and piping it directly into the shell (
curl | sh). - [EXTERNAL_DOWNLOADS]: The skill includes an
updatecommand for downloading new CLI binaries. Additionally, the Windows installation process involves downloading an executable file from the vendor's GitHub releases page. - [COMMAND_EXECUTION]: The skill operates by executing the
a2a-walletCLI tool and its various subcommands to perform blockchain transactions and agent interactions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external 'Agent Cards' and metadata provided by remote agents during task execution.
- Ingestion points: Data is ingested from external URIs via the
a2a cardcommand and through metadata in agent response streams. - Boundary markers: The instructions do not define delimiters or markers to isolate instructions embedded within external agent data.
- Capability inventory: The skill has access to shell command execution, network communication, and sensitive filesystem paths containing wallet keys.
- Sanitization: There is no mention of sanitizing or validating the schema and content of data retrieved from external agent endpoints.
Audit Metadata