Expanso yaml-to-json
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do the advertised YAML-to-JSON conversion, with minor setup and network-exposure notes users should understand before running it.
This skill looks coherent and purpose-aligned for YAML-to-JSON conversion. Before installing, confirm you trust the Expanso tooling source, decide whether you need the HTTP/MCP server mode, and if you run that mode, restrict network access or bind it locally when handling private data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or deploying through external Expanso commands could run or deploy code/configuration outside the reviewed local files if the referenced sources differ.
The skill relies on external Expanso tooling and includes an optional cloud deployment command using a remote pipeline URL. This is disclosed and aligned with the Expanso pipeline purpose, but it means users should trust those external sources before installing or deploying.
Expanso Edge installed (`expanso-edge` binary in PATH) ... Install via: `clawhub install expanso-edge` ... `expanso-cli job deploy https://skills.expanso.io/yaml-to-json/pipeline-cli.yaml`
Install Expanso tooling only from trusted sources, and prefer deploying the reviewed local `pipeline-cli.yaml` unless you intentionally trust the remote URL.
If started on a networked machine, other devices may be able to reach the converter and submit data or observe that the service is running, depending on firewall and network settings.
The MCP/HTTP mode starts a POST endpoint on all network interfaces. The endpoint only converts submitted YAML, but the artifacts do not show authentication or localhost-only binding.
http:
enabled: true
address: "0.0.0.0:${PORT:-8080}"
...
http_server:
path: /convert
allowed_verbs: [POST]Run server mode only when needed, bind it to localhost or protect it with network controls if available, and avoid sending sensitive YAML through an exposed endpoint.