Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Expanso tls-inspect
v1.0.0Inspect TLS certificates for expiry, SANs, chain validity, and cipher details using Expanso Edge pipelines.
⭐ 0· 853·0 current·0 all-time
byExpanso@aronchick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's files and SKILL.md describe a TLS certificate inspector and the CLI pipeline uses openssl to retrieve certificate data — this is coherent with the stated purpose. However, the registry metadata omitted the runtime binaries the SKILL.md and pipeline require (expanso-edge and openssl), which is an inconsistency that would affect deployability and security review.
Instruction Scope
The CLI pipeline constructs a shell command that embeds the user-supplied host into an sh -c invocation: echo | openssl s_client -servername "${! this.host }" -connect "${! this.host_with_port }" ... Executing user-supplied text inside a shell command can enable command injection (e.g., embedded $(...) or backticks) unless the runtime fully escapes/limits contents. The pipeline otherwise does not read unrelated files or env vars. Also, the MCP pipeline does not perform real TLS inspection and returns deterministic dummy certificate data — this behavioral mismatch (real inspection in CLI mode vs fake data in MCP mode) could surprise users or downstream automation.
Install Mechanism
This is an instruction-only skill with no install spec and no packaged downloads, so nothing is written to disk by an installer. That lowers installation risk.
Credentials
The skill does not require environment variables or credentials. That is proportionate to its declared purpose. (Note: the SKILL.md does require expanso-edge and openssl binaries, but these are binaries rather than env/credentials.)
Persistence & Privilege
The skill does not request always: true and has no install-time persistence behavior in the package. It is user-invocable and can be called autonomously by the agent by default, which is standard for skills.
What to consider before installing
This skill appears to do what it says (inspect TLS certs), but exercise caution before installing/using it:
- Command-injection risk: The CLI pipeline embeds the provided host directly into a shell command passed to sh -c. Do not run this skill on untrusted input or in contexts where an attacker can control the host string. Prefer sanitizing/validating host names (allow only hostname[:port] patterns) or modify the pipeline to avoid invoking a shell with unescaped user data.
- Mode mismatch: CLI mode performs a real openssl connection; MCP mode returns mock/dummy certificate data. Treat MCP as a testing/mock endpoint only — it will not reflect real TLS state.
- Missing metadata: The SKILL.md and pipeline require expanso-edge and openssl, but the skill registry metadata does not declare these required binaries. Confirm those dependencies are present before use.
- Operational controls: If you will expose this to other users or wire it into automation, ensure input validation, run it in a least-privileged environment, and audit logs/outputs. If you are not comfortable reviewing or editing the pipeline to safely escape inputs, avoid installing it or ask the author to fix the shell invocation to use a safer API (avoid sh -c or properly escape/validate host input).
If the maintainer can demonstrate that the runtime escapes/validates host input or replace the sh -c invocation with a safer call (e.g., exec openssl directly without shell interpolation), the remaining concerns would be largely resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk9717kx0nmtee4w4hjhfaqdyx180wkap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.