Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Appian Deploymtstatus
v1.2.0Check the status of an Appian deployment by UUID and optionally download its artifacts (log, package ZIP). Use after appian-export or appian-deploy to monito...
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The requested environment variables (APPIAN_BASE_URL, APPIAN_API_KEY) and the included script align with the stated purpose of querying Appian deployment status and optionally downloading artifacts. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md states credentials fall back to an appian.json in the current working directory; the script actually searches up to 5 parent directories for appian.json and will load any key/value pairs found into process.env if those env vars are not already set. This is a minor scope expansion that could read unexpected local config files—worth reviewing appian.json files in parent dirs before running.
Install Mechanism
There is no install spec (instruction-only) and the included Node.js script runs locally. No downloads from untrusted URLs, no package managers invoked, and no extract/write of external archives during an install step.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required, which is proportional. Two small points: (1) the manifest lists APPIAN_BASE_URL as the primaryEnv (the API key is the secret credential — this is not dangerous but is slightly odd), and (2) loading arbitrary keys from appian.json into process.env could expose or override other local values if such files contain unexpected entries.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills or system-wide agent settings, and only writes files to a user-owned directory (~/appian-exports) when download flags are used.
Assessment
This skill appears to do what it says: it will call your Appian instance at APPIAN_BASE_URL using APPIAN_API_KEY and can save logs/ZIPs to ~/appian-exports when asked. Before installing/using it: (1) confirm you trust the APPIAN_BASE_URL you provide, (2) store APPIAN_API_KEY securely (the script reads it from env or appian.json), (3) check for any appian.json files in the current or parent directories you run this from—the script will load keys from up to 5 parent dirs and inject them into the environment, which could unintentionally surface or override values, and (4) if you expect primaryEnv to be the secret, consider that the skill marks the base URL as primaryEnv (this is informational only). If those behaviors are acceptable, the skill is coherent and safe to use in typical contexts.scripts/index.js:33
Environment variable access combined with network send.
scripts/index.js:22
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
appianvk97151bt3kep2n65859axsx04584qw3cappian clawvk97151bt3kep2n65859axsx04584qw3ccowboy aivk97151bt3kep2n65859axsx04584qw3clatestvk971kbxrectjg9xyqac654s4dd84v403low codevk97151bt3kep2n65859axsx04584qw3cno codevk97151bt3kep2n65859axsx04584qw3copenclawvk97151bt3kep2n65859axsx04584qw3c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📡 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL