Unexpand Tool
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A piped text input could be misinterpreted as a local file path, causing the tool to fail or display the contents of an unintended file.
When no filename argument is supplied, the script reads stdin and uses that text as a file path, while SKILL.md documents piped text input. This is more likely a bug than malicious behavior, but users should avoid piping untrusted content.
open(sys.argv[1] if len(sys.argv)>1 else sys.stdin.read()).read()
Use explicit intended filenames and fix stdin handling before relying on piped-input workflows.
The skill may not run as documented, or a local command with the same name could be used instead of the included script.
The documentation references an unexpand-tool command and the manifest includes scripts/unexpand.py, but no install mechanism declares how that command is provided.
No install spec — this is an instruction-only skill.
Verify the command path or wire the included script explicitly before use.