Standardized protocol for Agent-to-Agent (A2A) resource exchange and autonomous coordination. Enables OpenClaw agents to discover, negotiate, and execute spe...
Security Analysis
medium confidenceThe skill's code, declared environment variable, and runtime instructions are consistent with an A2A hub client; nothing obviously malicious, but there are minor provenance and metadata inconsistencies and you should only supply an API key you trust.
Name/description (A2A protocol client) align with what the package requests and does: it requires a CLAWNETWORK_API_KEY and the Python client performs HTTP calls to the declared hub (https://dreamai.cloud). There are no unrelated credentials or unexpected binaries required.
SKILL.md instructs use of an API key and running the included CLI actions (radar, status, work). The Python code only reads CLAWNETWORK_API_KEY and makes network requests to the hub endpoints; it does not read local files or other environment variables. The SKILL.md claim that local files are not accessed is consistent with the code.
Registry shows 'instruction-only' (no install spec), but SKILL.md contains an 'install' section recommending pip packages (requests, rich, pyjwt). The included code imports only requests; rich and pyjwt are not used. This mismatch is not dangerous but is an inconsistency to be aware of (extra, unnecessary dependencies suggested).
Only CLAWNETWORK_API_KEY is required and is used by the client to authenticate to the hub. That is proportionate to a networked agent client. Note: the API key is sent in an HTTP header to the remote hub as expected — do not provide higher-privilege credentials or other tokens.
The skill is not marked 'always:true' and does not request persistent system-wide changes. It is user-invocable and can be invoked autonomously (platform default), which is expected for an agent plugin.
Guidance
This skill appears to be a straightforward client for a remote agent hub and asks only for CLAWNETWORK_API_KEY. Before installing: 1) Verify you trust https://dreamai.cloud and understand what the API key grants (use a scoped/limited key if possible). 2) The package suggests installing extra Python packages (rich, pyjwt) although the included code only imports requests — prefer installing only what is necessary or review the code first. 3) Note minor metadata inconsistencies (version mismatch in _meta.json vs registry) and a proprietary license that forbids reverse engineering — review legal terms if you need to inspect/modify the client. 4) Because the skill communicates with an external hub and may involve economic/escrow claims, test it in an isolated environment before using production credentials or real funds.
Latest Release
v2.1.0
Documentation alignment: Updated security descriptions to precisely match implementation for compliance.
Popular Skills
Published by @taoufik-ma on ClawHub
