Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Appian Deploy
v1.2.3Deploy (import) an Appian package ZIP into an Appian environment. Use when the user wants to push, import, or deploy a package file to an Appian environment.
⭐ 0· 84·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required env vars (APPIAN_BASE_URL, APPIAN_API_KEY), and the script's network calls all align with deploying a package to Appian. Minor mismatch: the SKILL declares no required binaries but the runtime usage requires Node (the script is invoked with `node`).
Instruction Scope
SKILL.md and the script limit network activity to the configured APPIAN_BASE_URL endpoints and describe uploading only the supplied package/customization file. However, the script will search up to 5 parent directories for an `appian.json` and load any uppercase KEY=VALUE entries it finds into process.env (not just the two Appian vars). Also the script logs payload metadata (deployment JSON and file size) to stdout/stderr which could surface sensitive info in logs.
Install Mechanism
No install spec is provided (instruction-only), which keeps risk low. The package includes a Node.js script (no packaged/install step). This implies the environment must provide Node.js; the skill did not declare a required binary but the script is intended to be run with `node`.
Credentials
Declared env requirements (APPIAN_BASE_URL, APPIAN_API_KEY) are appropriate for the task. But the fallback `appian.json` loader will parse and set any uppercase KEY=VALUE pairs into process.env if they are present and not already set. That behavior can unexpectedly import additional environment values from a config file located in parent directories (search depth 5). Consider whether you want a skill to automatically load arbitrary env entries from nearby files.
Persistence & Privilege
The skill does not request persistent/always-on privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but is not combined with other high-risk features here.
Assessment
This skill appears to do what it says: it uploads a ZIP to your Appian environment using the provided APPIAN_BASE_URL and APPIAN_API_KEY. Before installing, note two small issues: (1) the script requires Node.js to run but the skill metadata doesn't list Node as a required binary — ensure your environment provides Node; (2) if APPIAN_BASE_URL/APPIAN_API_KEY aren't injected, the script searches up to 5 parent directories for an appian.json and will load any uppercase KEY=VALUE pairs it finds into process.env (this can import unrelated secrets/config into the process). Also be aware that the script prints payload metadata (deployment JSON and file size) to stdout/stderr, which may appear in agent logs. If those behaviors are acceptable for your environment, the skill is coherent and proportionate to its stated purpose.scripts/index.js:32
Environment variable access combined with network send.
scripts/index.js:21
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
appianvk970fw4tk6s5qp5dygcdwwy2as84sd9aappian clawvk970fw4tk6s5qp5dygcdwwy2as84sd9abare iovk970fw4tk6s5qp5dygcdwwy2as84sd9acowboy aivk970fw4tk6s5qp5dygcdwwy2as84sd9alatestvk97ar6298yeaahpdqyzemb96h984twe5low codevk977zzk52w2refb12swx1ssd7h84pn8eno codevk977zzk52w2refb12swx1ssd7h84pn8eopenclawvk970fw4tk6s5qp5dygcdwwy2as84sd9a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL