ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Export

v1.2.5

Export an Appian application or package to a ZIP file by UUID. Use when the user wants to export, download, or back up an Appian application or package from...

0· 45·0 current·0 all-time
by@solarspiker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (export Appian package by UUID) aligns with the code and runtime behavior: the script triggers an export, polls Appian, downloads a ZIP, and writes it to ~/appian-exports and cwd/appian-exports. The required env vars (APPIAN_BASE_URL, APPIAN_API_KEY) are appropriate. Minor inconsistency: primaryEnv is declared as APPIAN_BASE_URL while the API key is the main secret used; this is likely harmless but atypical.
!
Instruction Scope
SKILL.md and the script state they will fall back to reading a local appian.json in the current working directory when environment variables are not present. The registry metadata lists no required config paths; the skill therefore references a local file (appian.json) that is not declared. This is scope creep because it allows the skill to read credentials from disk without that being explicit in the manifest. Aside from that, the instructions limit external network calls to the APPIAN_BASE_URL endpoints and the packageZip URL and do not execute shell commands.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). A single JS file is included and will be run by node when invoked; there is no external download or archive extraction at install time.
Credentials
The skill requires two environment variables (APPIAN_BASE_URL and APPIAN_API_KEY), which is proportionate to its purpose. The fallback to reading appian.json is not declared in requires.config and increases the places secrets may be read from; that should be considered when granting runtime env access or placing credential files in the CWD.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and only writes exported ZIPs to the user's home directory and optionally copies to the current working directory. It does not persist tokens or enable itself automatically.
What to consider before installing
This skill appears to do what it says: trigger an Appian export, poll for completion, and save the ZIP locally. Before installing, check the following: (1) Understand that the script will read APPIAN_BASE_URL and APPIAN_API_KEY from environment variables — confirm you are comfortable providing the API key to the agent. (2) The script will also try to load credentials from a local appian.json in the current working directory if env vars are absent; if you keep secrets in files, ensure appian.json is safe and you expect the skill to read it. (3) The code writes files to ~/appian-exports and copies them into ./appian-exports; run in a directory you control or an isolated environment if you are concerned about file writes. (4) The primaryEnv setting naming APPIAN_BASE_URL (rather than the API key) is likely a metadata quirk — verify the platform's injection of the API key works as you expect. If any of these behaviors are unacceptable, do not install or run the skill until you can review or edit the code (scripts/index.js) or provide credentials in a way you trust.
scripts/index.js:23
Environment variable access combined with network send.
!
scripts/index.js:21
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

appianvk976g9ef3h9v6wyvvxtatgaddh84rjgcappian clawvk976g9ef3h9v6wyvvxtatgaddh84rjgcbare iovk976g9ef3h9v6wyvvxtatgaddh84rjgccowboy aivk976g9ef3h9v6wyvvxtatgaddh84rjgclatestvk9772k87w0r5k717k2htb654fx84r475low codevk971s6ssndvqc13qk9t2kr8mrs84py45no codevk971s6ssndvqc13qk9t2kr8mrs84py45openclawvk976g9ef3h9v6wyvvxtatgaddh84rjgc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL

Comments