Skillv1.0.0

ClawScan security

Expanso keyword-extract · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (extract keywords) but has a few incoherencies and privacy/operational risks you should understand before installing.
Guidance: This skill runs Expanso pipelines that send your input text to an OpenAI model and also compute and emit an input_hash and trace metadata. Before installing: (1) Be aware that text you process may be sent to OpenAI — do not send sensitive data unless you are comfortable with that. (2) Provide an OPENAI_API_KEY only if you trust the key and account; note the skill's metadata marks the key optional even though the pipelines use it. (3) If you run MCP mode, the pipeline binds to 0.0.0.0 by default — run behind a firewall or bind to localhost to avoid exposing the endpoint. (4) If you need on-device privacy, investigate configuring a local backend (Ollama) instead of OpenAI, and verify the pipelines are adjusted accordingly. Finally, confirm you trust the expanso-edge/expanso-cli binaries referenced by the instructions before running them.

Review Dimensions

Purpose & Capability: noteThe declared purpose (keyword extraction) matches the provided pipelines and files. However, skill.yaml lists OPENAI_API_KEY as optional while both pipeline-cli.yaml and pipeline-mcp.yaml clearly require and use OPENAI_API_KEY for OpenAI completions. The skill also advertises local Ollama backends in metadata but the provided pipelines use the OpenAI processor. The mismatch between declared required credentials and the actual pipelines is an incoherence.
Instruction Scope: concernThe SKILL.md and the pipelines instruct expanso-edge to: compute sha256(input) and other metadata, send the input text to OpenAI via openai_chat_completion, and (in MCP mode) listen on 0.0.0.0:${PORT} which exposes an HTTP endpoint if you run it. The skill logs trace_id and includes input_hash/input_length in outputs. Sending raw text to an external LLM and creating hashes of inputs are privacy-sensitive behaviors that are not highlighted in skill metadata; exposing an HTTP server on 0.0.0.0 can unintentionally accept external traffic.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to write to disk. That lowers install-time risk. It does require the expanso-edge binary to be present (documented).
Credentials: concernPipelines require OPENAI_API_KEY to function, but the skill metadata marks it as not required. No other credentials are requested. The skill also supports MAX_KEYWORDS via env and uses OPENAI_API_KEY in cleartext substitution in pipeline files — ensure you supply a key you trust and understand that the key will be used to send your text to OpenAI. The optional listing of local Ollama models is not enforced by the pipelines and could be misleading.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills' configs, and has no install step that persists additional privileged components. Running MCP mode will run a server but that is explicit in the docs.