Appian Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill transparently deploys a user-selected Appian ZIP package to the configured Appian environment, with expected API-key and deployment-impact risks.

Install only if you intend to let an agent deploy packages to Appian. Use a least-privilege Appian API key, verify APPIAN_BASE_URL and any nearby appian.json before running, inspect the ZIP first, and prefer Appian approval/review controls for production deployments.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation indicates access to environment variables and outbound network connectivity, but the skill does not explicitly declare corresponding permissions. This creates a transparency and policy-enforcement gap: a user or platform may authorize the skill without understanding it can read secrets like APPIAN_API_KEY and send data to a remote endpoint. In this context the network and env access are functionally required for deployment, but the undeclared capability still increases risk because secret handling and exfiltration boundaries are less visible and harder to audit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal