← 返回 Skills 市场
944
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install expanso-cve-scan
功能描述
Scan software bill of materials (SBOM) for known CVE vulnerabilities using Expanso Edge pipelines.
使用说明 (SKILL.md)
cve-scan
Scan SBOM for known CVE vulnerabilities
Requirements
- Expanso Edge installed (
expanso-edgebinary in PATH) - Install via:
clawhub install expanso-edge
Usage
CLI Pipeline
# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml
MCP Pipeline
# Start as MCP server
expanso-edge run pipeline-mcp.yaml
Deploy to Expanso Cloud
expanso-cli job deploy https://skills.expanso.io/cve-scan/pipeline-cli.yaml
Files
| File | Purpose |
|---|---|
skill.yaml |
Skill metadata (inputs, outputs, credentials) |
pipeline-cli.yaml |
Standalone CLI pipeline |
pipeline-mcp.yaml |
MCP server pipeline |
安全使用建议
This skill appears to be what it claims: a pipeline you run with expanso-edge that posts SBOM content to the public OSV API (api.osv.dev). Before installing/using it, consider:
- Your SBOM contents are sent to a third-party public API (OSV). If your SBOM contains sensitive or internal package names, treat that as potential data exposure and verify acceptability with your org.
- The CLI pipeline defaults the ecosystem to "npm" for every package; results may be incorrect if your SBOM contains non-npm packages. Review/adjust the pipeline mapping if you need ecosystem inference from purl.
- The MCP pipeline currently does not perform OSV lookups (it returns an empty vulnerabilities array); treat MCP mode as incomplete until you confirm it queries OSV as intended.
- The skill declares an optional NVD_API_KEY (unused by the provided pipeline). If you plan to add NVD support, provide credentials only if you trust the runtime environment.
- Because this is an instruction-only skill, risk comes from where you run it: ensure the expanso-edge binary you install is from a trusted source and that network access to api.osv.dev (and any deploy targets like skills.expanso.io) is permitted.
If you need this behavior but want to avoid sending SBOMs externally, consider running a local OSV mirror or an offline DB backend and update the pipelines accordingly.
功能分析
Type: OpenClaw Skill
Name: expanso-cve-scan
Version: 1.0.0
The skill's primary function is to scan SBOMs for CVE vulnerabilities using the OSV API. The `pipeline-cli.yaml` legitimately makes an HTTP POST request to `https://api.osv.dev/v1/querybatch` to perform this core function. There is no evidence of malicious intent, such as data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` to subvert the agent. The `pipeline-mcp.yaml` is functionally incomplete as it does not perform the actual scan, but this is not a security vulnerability.
能力评估
Purpose & Capability
Name and metadata describe an SBOM CVE scanner and the included pipeline files implement exactly that: CLI mode posts batch queries to the public OSV API. The only runtime dependency declared in SKILL.md is expanso-edge, which is required to run the provided pipelines — proportionate to the stated purpose.
Instruction Scope
CLI pipeline reads SBOM JSON from stdin and sends batch requests to api.osv.dev (OSV); this matches the stated goal. Two implementation issues to note: (1) the pipeline defaults ecosystem to "npm" for every package rather than inferring from purl, which may cause missed or incorrect matches; (2) the MCP pipeline file does not perform any OSV/http query and appears to return an empty vulnerabilities list (it logs and replies but does not call the OSV API) — this is likely a bug/unfinished mode rather than malicious scope creep. No instructions read arbitrary host files or request unexpected environment variables.
Install Mechanism
This is instruction-only (no install spec). Nothing is downloaded or written by the skill package itself; it relies on the existing 'expanso-edge' binary. Low installation risk from the skill bundle.
Credentials
The skill declares an optional NVD_API_KEY in skill.yaml for higher rate limits, but no required credentials or sensitive environment variables are requested. The runtime pipelines do not reference any environment variables. Credential requests are minimal and proportional.
Persistence & Privilege
Skill is not always-on and does not request persistent platform privileges or modify other skills' configurations. It runs when invoked via expanso-edge; default autonomy flags are unchanged but not elevated.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install expanso-cve-scan - 安装完成后,直接呼叫该 Skill 的名称或使用
/expanso-cve-scan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish to ClawHub
元数据
常见问题
Expanso cve-scan 是什么?
Scan software bill of materials (SBOM) for known CVE vulnerabilities using Expanso Edge pipelines. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 944 次。
如何安装 Expanso cve-scan?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install expanso-cve-scan」即可一键安装,无需额外配置。
Expanso cve-scan 是免费的吗?
是的,Expanso cve-scan 完全免费(开源免费),可自由下载、安装和使用。
Expanso cve-scan 支持哪些平台?
Expanso cve-scan 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Expanso cve-scan?
由 Expanso(@aronchick)开发并维护,当前版本 v1.0.0。
推荐 Skills