a2a-setup
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes an installation script from Tailscale (tailscale.com) to establish network connectivity between servers.
- [REMOTE_CODE_EXECUTION]: Instructions include a verification step that pipes the response from a local network endpoint directly into the Python interpreter for JSON formatting using the
json.toolmodule. - [COMMAND_EXECUTION]: The skill configures the agent to use the
exectool to run a local Node.js script (a2a-send.mjs) for sending messages and files to other agents. - [DATA_EXFILTRATION]: The communication script (
a2a-send.mjs) possesses the capability to read local files from the filesystem via the--file-pathargument and transmit their contents to a remote URL provided in the command line. - [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by allowing the agent to ingest and process data from external peer agents.
- Ingestion points: The agent reads and potentially acts upon the stdout responses from
a2a-send.mjsas documented inSKILL.mdand thetools-md-template.mdreference. - Boundary markers: No delimiters or "ignore instructions" markers are defined in the provided
TOOLS.mdtemplate for peer responses. - Capability inventory: The agent utilizes the
exectool to interact with the communication script. - Sanitization: There is no evidence of sanitization or validation performed on the messages received from external agents before they are processed by the local agent.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:18800/.well-known/agent-card.json, https://tailscale.com/install.sh - DO NOT USE without thorough review
Audit Metadata