ClawHub

Expanso xml-to-json

v1.0.0

Convert XML input into JSON format using Expanso Edge pipelines for CLI, MCP server, or cloud deployment.

0· 810·0 current·0 all-time
byExpanso@aronchick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, and pipelines all line up with an XML→JSON converter. However, SKILL.md references runtime tools (expanso-edge and expanso-cli) while the registry metadata lists no required binaries; the presence of expanso-cli in the usage examples is not declared. This is an omission/inconsistency but not evidence of malicious intent.
Instruction Scope
Runtime instructions and the mapping processors only parse input XML and produce JSON, include metadata (trace_id, timestamp), and for MCP expose a POST /convert endpoint. The instructions do not direct reading of unrelated files, secrets, shell history, or outbound exfiltration.
Install Mechanism
There is no install spec and no packaged code to download; this is instruction-only and relies on the expanso-edge binary. No remote archives or unusual installs are invoked by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The MCP pipeline uses a conventional PORT environment variable for binding but does not require secrets or external API keys. The lack of declared required binaries is a minor inconsistency (see purpose_capability).
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. Autonomous invocation is allowed by default but nothing in the skill combines that with broad credentials or system modifications.
Assessment
This skill appears to be a straightforward XML→JSON pipeline for Expanso Edge. Before installing or deploying, note two small issues: (1) SKILL.md expects the expanso-edge binary (and mentions expanso-cli for cloud deploy) but the registry metadata does not list required binaries — ensure you have those CLIs from trusted sources before running. (2) The MCP pipeline will bind to 0.0.0.0:${PORT:-8080} and expose a POST /convert endpoint — if you run that server on a machine reachable from untrusted networks, consider firewalling or binding to localhost. Test the pipeline with non-sensitive sample data and verify the expanso pipeline YAML files match your security policies before deploying to any cloud service.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qyf5zx7dvj6v1h9k9pghhs80w217

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments