Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
expanso
v1.0.2Data processing pipelines for OpenClaw. Deploy skills from the Expanso marketplace to transform, analyze, and process data locally.
⭐ 0· 2k·1 current·1 all-time
byExpanso@aronchick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (deploy and run Expanso pipelines locally) matches the declared requirements: curl and the EXPANSO_EDGE_BOOTSTRAP_URL / EXPANSO_EDGE_BOOTSTRAP_TOKEN environment variables are exactly what a cloud‑managed edge node would need.
Instruction Scope
SKILL.md stays within the stated purpose: it instructs you to install the Edge and CLI, set bootstrap URL/token, start expanso-edge, and deploy pipelines from the marketplace. However, starting the Edge registers the node with Expanso Cloud and allows remote pipeline deployments — this is expected but grants the cloud the ability to run code on your machine, so the instructions have significant operational impact.
Install Mechanism
The instructions use curl -fsSL https://get.expanso.io/... | bash (and sh) — i.e., download-and-pipe-to-shell. Even if the domain matches other Expanso domains in the SKILL.md, piping remote install scripts to a shell is high-risk because it executes code fetched at install time without local review.
Credentials
The skill requires a bootstrap URL and token (EXPANSO_EDGE_BOOTSTRAP_URL and EXPANSO_EDGE_BOOTSTRAP_TOKEN) and designates the token as the primary credential. Those are necessary for the stated cloud-managed workflow, but the bootstrap token is a high‑privilege credential (it lets the cloud deploy pipelines to your Edge). Requesting that token is proportionate to the purpose, but it represents a sensitive capability and should be treated as such.
Persistence & Privilege
always is false and the skill doesn't request system paths or to modify other skills. No persistent or force-included privilege is requested by the skill metadata.
What to consider before installing
This skill appears to do what it says (connect your machine as an Expanso Edge and deploy pipelines), but there are two things to consider before installing:
- Review the install scripts before running them. The SKILL.md recommends curl | bash from get.expanso.io; that runs remote code on your machine. Fetch the script first (curl ... -o install.sh) and review it, or prefer installation via your OS package manager if available.
- Treat the bootstrap token as highly sensitive. Anyone with it (or a compromised marketplace entry) can deploy pipelines to your Edge that will execute locally. Use least-privilege tokens, create a dedicated org/node with limited access, and rotate/revoke tokens after testing.
- Audit the marketplace pipelines you deploy. Ensure any pipeline you run is from a trusted publisher and inspect pipeline definitions if possible.
If you want to proceed more safely: run the installer in an isolated environment (VM/container), manually inspect the install scripts, and verify the get.expanso.io TLS certificate and domain alignment with official Expanso pages before providing credentials. If you can, obtain bootstrap credentials scoped to test/development rather than your production environment.Like a lobster shell, security has layers — review code before you run it.
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
Required env[object Object], [object Object]
latestvk972en9m6n5bt12d9v8jmqmks980f05m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl
EnvEXPANSO_EDGE_BOOTSTRAP_URL, EXPANSO_EDGE_BOOTSTRAP_TOKEN
Primary envEXPANSO_EDGE_BOOTSTRAP_TOKEN