← 返回 Skills 市场

Expanso tls-inspect

Name: Expanso tls-inspect
Author: aronchick

作者 Expanso · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

934

总下载

当前安装

版本数

在 OpenClaw 中安装

/install expanso-tls-inspect

功能描述

Inspect TLS certificates for expiry, SANs, chain validity, and cipher details using Expanso Edge pipelines.

使用说明 (SKILL.md)

tls-inspect

Inspect TLS certificate (expiry, SANs, chain, cipher)

Requirements

Expanso Edge installed (expanso-edge binary in PATH)
Install via: clawhub install expanso-edge

Usage

CLI Pipeline

# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml

MCP Pipeline

# Start as MCP server
expanso-edge run pipeline-mcp.yaml

Deploy to Expanso Cloud

expanso-cli job deploy https://skills.expanso.io/tls-inspect/pipeline-cli.yaml

Files

File	Purpose
`skill.yaml`	Skill metadata (inputs, outputs, credentials)
`pipeline-cli.yaml`	Standalone CLI pipeline
`pipeline-mcp.yaml`	MCP server pipeline

安全使用建议

This skill appears to do what it says (inspect TLS certs), but exercise caution before installing/using it: - Command-injection risk: The CLI pipeline embeds the provided host directly into a shell command passed to sh -c. Do not run this skill on untrusted input or in contexts where an attacker can control the host string. Prefer sanitizing/validating host names (allow only hostname[:port] patterns) or modify the pipeline to avoid invoking a shell with unescaped user data. - Mode mismatch: CLI mode performs a real openssl connection; MCP mode returns mock/dummy certificate data. Treat MCP as a testing/mock endpoint only — it will not reflect real TLS state. - Missing metadata: The SKILL.md and pipeline require expanso-edge and openssl, but the skill registry metadata does not declare these required binaries. Confirm those dependencies are present before use. - Operational controls: If you will expose this to other users or wire it into automation, ensure input validation, run it in a least-privileged environment, and audit logs/outputs. If you are not comfortable reviewing or editing the pipeline to safely escape inputs, avoid installing it or ask the author to fix the shell invocation to use a safer API (avoid sh -c or properly escape/validate host input). If the maintainer can demonstrate that the runtime escapes/validates host input or replace the sh -c invocation with a safer call (e.g., exec openssl directly without shell interpolation), the remaining concerns would be largely resolved.

功能分析

Type: OpenClaw Skill Name: expanso-tls-inspect Version: 1.0.0 The `pipeline-cli.yaml` file contains a critical shell injection vulnerability. User-controlled input (`this.host` and `this.host_with_port`), derived directly from the skill's input, is embedded without sufficient sanitization into a `sh -c` command that executes `openssl`. This allows an attacker to inject arbitrary shell commands by crafting the input hostname, leading to potential remote code execution. While the skill's stated purpose is benign (TLS inspection), this severe input sanitization flaw makes it suspicious.

能力评估

ℹ Purpose & Capability

The skill's files and SKILL.md describe a TLS certificate inspector and the CLI pipeline uses openssl to retrieve certificate data — this is coherent with the stated purpose. However, the registry metadata omitted the runtime binaries the SKILL.md and pipeline require (expanso-edge and openssl), which is an inconsistency that would affect deployability and security review.

⚠ Instruction Scope

The CLI pipeline constructs a shell command that embeds the user-supplied host into an sh -c invocation: echo | openssl s_client -servername "${! this.host }" -connect "${! this.host_with_port }" ... Executing user-supplied text inside a shell command can enable command injection (e.g., embedded $(...) or backticks) unless the runtime fully escapes/limits contents. The pipeline otherwise does not read unrelated files or env vars. Also, the MCP pipeline does not perform real TLS inspection and returns deterministic dummy certificate data — this behavioral mismatch (real inspection in CLI mode vs fake data in MCP mode) could surprise users or downstream automation.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no packaged downloads, so nothing is written to disk by an installer. That lowers installation risk.

✓ Credentials

The skill does not require environment variables or credentials. That is proportionate to its declared purpose. (Note: the SKILL.md does require expanso-edge and openssl binaries, but these are binaries rather than env/credentials.)

✓ Persistence & Privilege

The skill does not request always: true and has no install-time persistence behavior in the package. It is user-invocable and can be called autonomously by the agent by default, which is standard for skills.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install expanso-tls-inspect
安装完成后，直接呼叫该 Skill 的名称或使用 /expanso-tls-inspect 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial publish to ClawHub

元数据

Slug expanso-tls-inspect

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题