Expanso cve-scan
v1.0.0Scan software bill of materials (SBOM) for known CVE vulnerabilities using Expanso Edge pipelines.
⭐ 0· 876·1 current·1 all-time
byExpanso@aronchick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and metadata describe an SBOM CVE scanner and the included pipeline files implement exactly that: CLI mode posts batch queries to the public OSV API. The only runtime dependency declared in SKILL.md is expanso-edge, which is required to run the provided pipelines — proportionate to the stated purpose.
Instruction Scope
CLI pipeline reads SBOM JSON from stdin and sends batch requests to api.osv.dev (OSV); this matches the stated goal. Two implementation issues to note: (1) the pipeline defaults ecosystem to "npm" for every package rather than inferring from purl, which may cause missed or incorrect matches; (2) the MCP pipeline file does not perform any OSV/http query and appears to return an empty vulnerabilities list (it logs and replies but does not call the OSV API) — this is likely a bug/unfinished mode rather than malicious scope creep. No instructions read arbitrary host files or request unexpected environment variables.
Install Mechanism
This is instruction-only (no install spec). Nothing is downloaded or written by the skill package itself; it relies on the existing 'expanso-edge' binary. Low installation risk from the skill bundle.
Credentials
The skill declares an optional NVD_API_KEY in skill.yaml for higher rate limits, but no required credentials or sensitive environment variables are requested. The runtime pipelines do not reference any environment variables. Credential requests are minimal and proportional.
Persistence & Privilege
Skill is not always-on and does not request persistent platform privileges or modify other skills' configurations. It runs when invoked via expanso-edge; default autonomy flags are unchanged but not elevated.
Assessment
This skill appears to be what it claims: a pipeline you run with expanso-edge that posts SBOM content to the public OSV API (api.osv.dev). Before installing/using it, consider:
- Your SBOM contents are sent to a third-party public API (OSV). If your SBOM contains sensitive or internal package names, treat that as potential data exposure and verify acceptability with your org.
- The CLI pipeline defaults the ecosystem to "npm" for every package; results may be incorrect if your SBOM contains non-npm packages. Review/adjust the pipeline mapping if you need ecosystem inference from purl.
- The MCP pipeline currently does not perform OSV lookups (it returns an empty vulnerabilities array); treat MCP mode as incomplete until you confirm it queries OSV as intended.
- The skill declares an optional NVD_API_KEY (unused by the provided pipeline). If you plan to add NVD support, provide credentials only if you trust the runtime environment.
- Because this is an instruction-only skill, risk comes from where you run it: ensure the expanso-edge binary you install is from a trusted source and that network access to api.osv.dev (and any deploy targets like skills.expanso.io) is permitted.
If you need this behavior but want to avoid sending SBOMs externally, consider running a local OSV mirror or an offline DB backend and update the pipelines accordingly.Like a lobster shell, security has layers — review code before you run it.
latestvk97dzrshsrn6dg3q3cpmtvd0e580xrff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.