Expanso json-to-yaml
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward JSON-to-YAML converter, with minor setup and network-exposure details users should notice.
This skill looks safe for basic local JSON-to-YAML conversion. Before installing or using advanced modes, confirm you trust the Expanso tooling, avoid optional cloud deployment unless you need it, and restrict the MCP server to a trusted network or localhost if your JSON may contain private data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to install Expanso tooling or deploy a remote pipeline if you use the optional cloud workflow.
The skill is instruction-only but depends on external Expanso tooling and includes an optional deployment command that references a remote pipeline URL. This is disclosed and aligned with the skill's purpose, but users should verify the tooling and remote source before installing or deploying.
Expanso Edge installed (`expanso-edge` binary in PATH) ... Install via: `clawhub install expanso-edge` ... `expanso-cli job deploy https://skills.expanso.io/json-to-yaml/pipeline-cli.yaml`
Use the included local pipeline when possible, and verify the Expanso tooling and remote URL before running installation or cloud deployment commands.
If you start MCP mode, other systems that can reach the host may be able to send JSON to the converter.
MCP/server mode starts an HTTP listener on all network interfaces. The endpoint only converts posted JSON and returns a synchronous response, but binding to 0.0.0.0 can expose the converter beyond the local machine.
http:
enabled: true
address: "0.0.0.0:${PORT:-8080}"
...
http_server:
path: /convert
allowed_verbs: [POST]Run the server only when needed, prefer binding to localhost or using firewall controls for private data, and avoid sending sensitive JSON over an exposed endpoint.