ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Deploy

v1.2.2

Deploy (import) an Appian package ZIP into an Appian environment. Use when the user wants to push, import, or deploy a package file to an Appian environment.

0· 45·0 current·0 all-time
by@solarspiker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, declared env vars (APPIAN_BASE_URL, APPIAN_API_KEY), SKILL.md, and the included script all align: the script uploads a ZIP to the Appian deployments endpoint and polls for completion. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
Runtime instructions and the script remain within scope: they read the user-supplied ZIP (and optional customization file), post to ${APPIAN_BASE_URL}/deployments, poll ${APPIAN_BASE_URL}/deployments/{uuid}, and print a summary. The SKILL.md accurately documents endpoints and behavior. The script logs the JSON payload and file size to stdout (local logging), which is expected for debugging but does reveal the payload locally.
Install Mechanism
No install spec — instruction-only with a small included Node script. No downloads or archive extraction. This is low-risk from an installation perspective. (Note: the script uses fetch/FormData/Blob APIs available in modern Node runtimes.)
Credentials
Requested env vars (APPIAN_BASE_URL, APPIAN_API_KEY) are appropriate and used by the code. One notable behavior: the script will fall back to reading a local appian.json and will inject any keys from that file into process.env when those envs are not already set. That fallback is documented in SKILL.md, but it means a local appian.json can set arbitrary environment variables for the process—ensure that file is trusted and only contains intended values.
Persistence & Privilege
The skill does not request permanent/always-on presence (always: false), does not modify other skills or system-wide configs, and does not write files beyond reading inputs and optionally appian.json. No elevated persistence requested.
Assessment
This skill appears to do exactly what it says: upload an Appian package ZIP to the Appian instance referenced by APPIAN_BASE_URL using APPIAN_API_KEY. Before installing or running it, ensure: (1) you provide a correct APPIAN_BASE_URL and a scoped API key you trust; (2) any local appian.json in the working directory is trusted because the script will read it and inject values into environment variables if those envs are unset; (3) you are comfortable with the script logging the payload and file size to stdout (these logs are local). Also ensure your Node runtime supports fetch/FormData/Blob (modern Node 18+ or equivalent).
scripts/index.js:20
Environment variable access combined with network send.
!
scripts/index.js:18
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

appianvk970fw4tk6s5qp5dygcdwwy2as84sd9aappian clawvk970fw4tk6s5qp5dygcdwwy2as84sd9abare iovk970fw4tk6s5qp5dygcdwwy2as84sd9acowboy aivk970fw4tk6s5qp5dygcdwwy2as84sd9alatestvk976gn97wxtzmngj9da4rgrkv984rg8klow codevk977zzk52w2refb12swx1ssd7h84pn8eno codevk977zzk52w2refb12swx1ssd7h84pn8eopenclawvk970fw4tk6s5qp5dygcdwwy2as84sd9a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL

Comments