ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Listpkg

v1.1.0

List all packages for an Appian application by UUID. Use when the user wants to see what packages exist in an application, or to find a package UUID before i...

0· 80·0 current·0 all-time
by@solarspiker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env vars (APPIAN_BASE_URL, APPIAN_API_KEY), and the single external endpoint (GET ${APPIAN_BASE_URL}/applications/{uuid}/packages) align with the stated purpose of listing Appian packages.
Instruction Scope
SKILL.md instructs running the included Node script and claims no file I/O, but the script will read an appian.json file (JSON or key=value) as a fallback and searches up to 5 parent directories for it. This is a small mismatch between docs and behavior but matches the legitimate need to load credentials if env vars aren't present.
Install Mechanism
No install spec (instruction-only) and no external downloads; the shipped JS file runs with Node. This is the lowest-risk install pattern for this functionality.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required, which is appropriate. Note: the script may populate process.env from a local appian.json it finds, so local files containing secrets will be read if present.
Persistence & Privilege
always is false, the skill does not request persistent or cross-skill configuration changes, and it does not modify other skills or system-wide settings.
Assessment
This skill appears to do exactly what it says: call Appian's package API using APPIAN_BASE_URL and APPIAN_API_KEY. Before installing, ensure you: (1) provide only an API key with least privilege needed for read access, (2) are comfortable that the script will look for and read an appian.json file (it searches the current directory and up to 5 parent directories) if env vars are not set — remove any sensitive credentials from those files or run the skill from a safe working directory, (3) review the included scripts/index.js yourself (it logs the request URL to stderr but does not print the API key), and (4) be aware that the agent can invoke the skill autonomously by default (normal for skills) — only grant the API key to agents you trust.
scripts/index.js:32
Environment variable access combined with network send.
!
scripts/index.js:21
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

appianvk978gqk6rj4m2v2zr1w3m17mk584rb4happian clawvk978gqk6rj4m2v2zr1w3m17mk584rb4hbare iovk978gqk6rj4m2v2zr1w3m17mk584rb4hcowboy aivk978gqk6rj4m2v2zr1w3m17mk584rb4hlatestvk97ekx7cncchr64kepqg5xby3h84v3kflow codevk979gcq622ebq1pptjydzfb4vs84ps5kno codevk979gcq622ebq1pptjydzfb4vs84ps5kopenclawvk978gqk6rj4m2v2zr1w3m17mk584rb4h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL

Comments