ClawHub
Back to skill
v1.0.0

Expanso tls-inspect

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:34 AM.

Analysis

Review before installing: the CLI pipeline passes the supplied host into a shell command, and the MCP pipeline appears to return fabricated “valid” certificate results rather than actually inspecting TLS.

GuidanceInstall only after review or fixes. If you run it now, use trusted hostname inputs only, do not expose the MCP server publicly, and independently verify certificate expiry and chain validity because the current pipelines can produce misleading validity results.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
pipeline-cli.yaml
meta host = content().trim() ... name: "sh" ... args: ["-c", "echo | openssl s_client -servername \"${! this.host }\" -connect \"${! this.host_with_port }\""]

The pipeline takes the host directly from input and inserts it into a shell command. Without hostname validation or shell-safe escaping, crafted host text could be interpreted as shell syntax instead of only as an OpenSSL argument.

User impactA malicious or accidental hostname value could cause commands to run on the machine executing the skill, not just inspect a TLS certificate.
RecommendationDo not run this with untrusted host values. The skill should validate hostnames and ports strictly and invoke openssl without sh -c, or otherwise use safe argument passing and shell escaping.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
pipeline-mcp.yaml
"issuer": "Demo CA" ... root.valid = true ... root.days_until_expiry = 365

The MCP pipeline does not connect to the requested host or inspect a real certificate; it fabricates successful certificate details for the supplied host.

User impactA user or agent could believe a host has a valid certificate when no real TLS inspection was performed.
RecommendationTreat MCP-mode results as unreliable until the pipeline performs an actual TLS connection and certificate validation, or clearly labels this mode as a demo stub.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
pipeline-cli.yaml
# Check if expired (simple string comparison won't work for dates, so mark as valid if we got data)
let has_cert = $subject != "Unknown"

The CLI pipeline's valid result is based on whether any certificate subject was found, not whether the certificate is unexpired, chain-valid, or cipher-checked as the skill description claims.

User impactThe skill may report a certificate as valid even when it is expired, has chain problems, or has not had cipher details checked.
RecommendationRequire real expiry parsing, chain verification, and cipher reporting before relying on this skill for security decisions.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
expanso-cli job deploy https://skills.expanso.io/tls-inspect/pipeline-cli.yaml

The deployment example fetches a remote pipeline by URL rather than deploying the reviewed local file with a pinned hash or version.

User impactThe cloud-deployed pipeline could differ from the artifact shown here if the remote URL changes.
RecommendationPrefer deploying a reviewed local file or a pinned, integrity-checked version of the pipeline.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
pipeline-mcp.yaml
http:
  enabled: true
  address: "0.0.0.0:${PORT:-8080}"
...
http_server:
  path: /inspect
  allowed_verbs: [POST]

When MCP mode is started, it listens on all network interfaces rather than only localhost.

User impactOther machines that can reach the host may be able to call the inspection endpoint while it is running.
RecommendationBind MCP mode to localhost by default or place it behind explicit authentication/firewall controls if remote access is intended.