← Back to Skills Marketplace
934
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install expanso-tls-inspect
Description
Inspect TLS certificates for expiry, SANs, chain validity, and cipher details using Expanso Edge pipelines.
README (SKILL.md)
tls-inspect
Inspect TLS certificate (expiry, SANs, chain, cipher)
Requirements
- Expanso Edge installed (
expanso-edgebinary in PATH) - Install via:
clawhub install expanso-edge
Usage
CLI Pipeline
# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml
MCP Pipeline
# Start as MCP server
expanso-edge run pipeline-mcp.yaml
Deploy to Expanso Cloud
expanso-cli job deploy https://skills.expanso.io/tls-inspect/pipeline-cli.yaml
Files
| File | Purpose |
|---|---|
skill.yaml |
Skill metadata (inputs, outputs, credentials) |
pipeline-cli.yaml |
Standalone CLI pipeline |
pipeline-mcp.yaml |
MCP server pipeline |
Usage Guidance
This skill appears to do what it says (inspect TLS certs), but exercise caution before installing/using it:
- Command-injection risk: The CLI pipeline embeds the provided host directly into a shell command passed to sh -c. Do not run this skill on untrusted input or in contexts where an attacker can control the host string. Prefer sanitizing/validating host names (allow only hostname[:port] patterns) or modify the pipeline to avoid invoking a shell with unescaped user data.
- Mode mismatch: CLI mode performs a real openssl connection; MCP mode returns mock/dummy certificate data. Treat MCP as a testing/mock endpoint only — it will not reflect real TLS state.
- Missing metadata: The SKILL.md and pipeline require expanso-edge and openssl, but the skill registry metadata does not declare these required binaries. Confirm those dependencies are present before use.
- Operational controls: If you will expose this to other users or wire it into automation, ensure input validation, run it in a least-privileged environment, and audit logs/outputs. If you are not comfortable reviewing or editing the pipeline to safely escape inputs, avoid installing it or ask the author to fix the shell invocation to use a safer API (avoid sh -c or properly escape/validate host input).
If the maintainer can demonstrate that the runtime escapes/validates host input or replace the sh -c invocation with a safer call (e.g., exec openssl directly without shell interpolation), the remaining concerns would be largely resolved.
Capability Analysis
Type: OpenClaw Skill
Name: expanso-tls-inspect
Version: 1.0.0
The `pipeline-cli.yaml` file contains a critical shell injection vulnerability. User-controlled input (`this.host` and `this.host_with_port`), derived directly from the skill's input, is embedded without sufficient sanitization into a `sh -c` command that executes `openssl`. This allows an attacker to inject arbitrary shell commands by crafting the input hostname, leading to potential remote code execution. While the skill's stated purpose is benign (TLS inspection), this severe input sanitization flaw makes it suspicious.
Capability Assessment
Purpose & Capability
The skill's files and SKILL.md describe a TLS certificate inspector and the CLI pipeline uses openssl to retrieve certificate data — this is coherent with the stated purpose. However, the registry metadata omitted the runtime binaries the SKILL.md and pipeline require (expanso-edge and openssl), which is an inconsistency that would affect deployability and security review.
Instruction Scope
The CLI pipeline constructs a shell command that embeds the user-supplied host into an sh -c invocation: echo | openssl s_client -servername "${! this.host }" -connect "${! this.host_with_port }" ... Executing user-supplied text inside a shell command can enable command injection (e.g., embedded $(...) or backticks) unless the runtime fully escapes/limits contents. The pipeline otherwise does not read unrelated files or env vars. Also, the MCP pipeline does not perform real TLS inspection and returns deterministic dummy certificate data — this behavioral mismatch (real inspection in CLI mode vs fake data in MCP mode) could surprise users or downstream automation.
Install Mechanism
This is an instruction-only skill with no install spec and no packaged downloads, so nothing is written to disk by an installer. That lowers installation risk.
Credentials
The skill does not require environment variables or credentials. That is proportionate to its declared purpose. (Note: the SKILL.md does require expanso-edge and openssl binaries, but these are binaries rather than env/credentials.)
Persistence & Privilege
The skill does not request always: true and has no install-time persistence behavior in the package. It is user-invocable and can be called autonomously by the agent by default, which is standard for skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install expanso-tls-inspect - After installation, invoke the skill by name or use
/expanso-tls-inspect - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish to ClawHub
Metadata
Frequently Asked Questions
What is Expanso tls-inspect?
Inspect TLS certificates for expiry, SANs, chain validity, and cipher details using Expanso Edge pipelines. It is an AI Agent Skill for Claude Code / OpenClaw, with 934 downloads so far.
How do I install Expanso tls-inspect?
Run "/install expanso-tls-inspect" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Expanso tls-inspect free?
Yes, Expanso tls-inspect is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Expanso tls-inspect support?
Expanso tls-inspect is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Expanso tls-inspect?
It is built and maintained by Expanso (@aronchick); the current version is v1.0.0.
More Skills