← Back to Skills Marketplace

Expanso cve-scan

Name: Expanso cve-scan
Author: aronchick

by Expanso · GitHub ↗ · v1.0.0

cross-platform ✓ Security Clean

944

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install expanso-cve-scan

Description

Scan software bill of materials (SBOM) for known CVE vulnerabilities using Expanso Edge pipelines.

README (SKILL.md)

cve-scan

Scan SBOM for known CVE vulnerabilities

Requirements

Expanso Edge installed (expanso-edge binary in PATH)
Install via: clawhub install expanso-edge

Usage

CLI Pipeline

# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml

MCP Pipeline

# Start as MCP server
expanso-edge run pipeline-mcp.yaml

Deploy to Expanso Cloud

expanso-cli job deploy https://skills.expanso.io/cve-scan/pipeline-cli.yaml

Files

File	Purpose
`skill.yaml`	Skill metadata (inputs, outputs, credentials)
`pipeline-cli.yaml`	Standalone CLI pipeline
`pipeline-mcp.yaml`	MCP server pipeline

Usage Guidance

This skill appears to be what it claims: a pipeline you run with expanso-edge that posts SBOM content to the public OSV API (api.osv.dev). Before installing/using it, consider: - Your SBOM contents are sent to a third-party public API (OSV). If your SBOM contains sensitive or internal package names, treat that as potential data exposure and verify acceptability with your org. - The CLI pipeline defaults the ecosystem to "npm" for every package; results may be incorrect if your SBOM contains non-npm packages. Review/adjust the pipeline mapping if you need ecosystem inference from purl. - The MCP pipeline currently does not perform OSV lookups (it returns an empty vulnerabilities array); treat MCP mode as incomplete until you confirm it queries OSV as intended. - The skill declares an optional NVD_API_KEY (unused by the provided pipeline). If you plan to add NVD support, provide credentials only if you trust the runtime environment. - Because this is an instruction-only skill, risk comes from where you run it: ensure the expanso-edge binary you install is from a trusted source and that network access to api.osv.dev (and any deploy targets like skills.expanso.io) is permitted. If you need this behavior but want to avoid sending SBOMs externally, consider running a local OSV mirror or an offline DB backend and update the pipelines accordingly.

Capability Analysis

Type: OpenClaw Skill Name: expanso-cve-scan Version: 1.0.0 The skill's primary function is to scan SBOMs for CVE vulnerabilities using the OSV API. The `pipeline-cli.yaml` legitimately makes an HTTP POST request to `https://api.osv.dev/v1/querybatch` to perform this core function. There is no evidence of malicious intent, such as data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` to subvert the agent. The `pipeline-mcp.yaml` is functionally incomplete as it does not perform the actual scan, but this is not a security vulnerability.

Capability Assessment

✓ Purpose & Capability

Name and metadata describe an SBOM CVE scanner and the included pipeline files implement exactly that: CLI mode posts batch queries to the public OSV API. The only runtime dependency declared in SKILL.md is expanso-edge, which is required to run the provided pipelines — proportionate to the stated purpose.

ℹ Instruction Scope

CLI pipeline reads SBOM JSON from stdin and sends batch requests to api.osv.dev (OSV); this matches the stated goal. Two implementation issues to note: (1) the pipeline defaults ecosystem to "npm" for every package rather than inferring from purl, which may cause missed or incorrect matches; (2) the MCP pipeline file does not perform any OSV/http query and appears to return an empty vulnerabilities list (it logs and replies but does not call the OSV API) — this is likely a bug/unfinished mode rather than malicious scope creep. No instructions read arbitrary host files or request unexpected environment variables.

✓ Install Mechanism

This is instruction-only (no install spec). Nothing is downloaded or written by the skill package itself; it relies on the existing 'expanso-edge' binary. Low installation risk from the skill bundle.

✓ Credentials

The skill declares an optional NVD_API_KEY in skill.yaml for higher rate limits, but no required credentials or sensitive environment variables are requested. The runtime pipelines do not reference any environment variables. Credential requests are minimal and proportional.

✓ Persistence & Privilege

Skill is not always-on and does not request persistent platform privileges or modify other skills' configurations. It runs when invoked via expanso-edge; default autonomy flags are unchanged but not elevated.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install expanso-cve-scan
After installation, invoke the skill by name or use /expanso-cve-scan
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial publish to ClawHub

Metadata

Slug expanso-cve-scan

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Expanso cve-scan?

Scan software bill of materials (SBOM) for known CVE vulnerabilities using Expanso Edge pipelines. It is an AI Agent Skill for Claude Code / OpenClaw, with 944 downloads so far.

How do I install Expanso cve-scan?

Run "/install expanso-cve-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Expanso cve-scan free?

Yes, Expanso cve-scan is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Expanso cve-scan support?

Expanso cve-scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Expanso cve-scan?

It is built and maintained by Expanso (@aronchick); the current version is v1.0.0.

More Skills