ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Deploymtstatus

v1.2.0

Check the status of an Appian deployment by UUID and optionally download its artifacts (log, package ZIP). Use after appian-export or appian-deploy to monito...

0· 80·0 current·0 all-time
by@solarspiker
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The requested environment variables (APPIAN_BASE_URL, APPIAN_API_KEY) and the included script align with the stated purpose of querying Appian deployment status and optionally downloading artifacts. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md states credentials fall back to an appian.json in the current working directory; the script actually searches up to 5 parent directories for appian.json and will load any key/value pairs found into process.env if those env vars are not already set. This is a minor scope expansion that could read unexpected local config files—worth reviewing appian.json files in parent dirs before running.
Install Mechanism
There is no install spec (instruction-only) and the included Node.js script runs locally. No downloads from untrusted URLs, no package managers invoked, and no extract/write of external archives during an install step.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required, which is proportional. Two small points: (1) the manifest lists APPIAN_BASE_URL as the primaryEnv (the API key is the secret credential — this is not dangerous but is slightly odd), and (2) loading arbitrary keys from appian.json into process.env could expose or override other local values if such files contain unexpected entries.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills or system-wide agent settings, and only writes files to a user-owned directory (~/appian-exports) when download flags are used.
Assessment
This skill appears to do what it says: it will call your Appian instance at APPIAN_BASE_URL using APPIAN_API_KEY and can save logs/ZIPs to ~/appian-exports when asked. Before installing/using it: (1) confirm you trust the APPIAN_BASE_URL you provide, (2) store APPIAN_API_KEY securely (the script reads it from env or appian.json), (3) check for any appian.json files in the current or parent directories you run this from—the script will load keys from up to 5 parent dirs and inject them into the environment, which could unintentionally surface or override values, and (4) if you expect primaryEnv to be the secret, consider that the skill marks the base URL as primaryEnv (this is informational only). If those behaviors are acceptable, the skill is coherent and safe to use in typical contexts.
scripts/index.js:33
Environment variable access combined with network send.
!
scripts/index.js:22
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📡 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL
appianvk97151bt3kep2n65859axsx04584qw3cappian clawvk97151bt3kep2n65859axsx04584qw3ccowboy aivk97151bt3kep2n65859axsx04584qw3clatestvk971kbxrectjg9xyqac654s4dd84v403low codevk97151bt3kep2n65859axsx04584qw3cno codevk97151bt3kep2n65859axsx04584qw3copenclawvk97151bt3kep2n65859axsx04584qw3c
80downloads
0stars
3versions
Updated 5d ago
v1.2.0
MIT-0
@solarspiker
appianappian clawcowboy ailatestlow codeno codeopenclaw
Download

Appian Status

Retrieves the current status and artifact URLs for any Appian deployment using the v2 Deployment Management API. Supports optional polling and artifact download.

Usage

node {baseDir}/scripts/index.js <deploymentUuid> [--wait] [--download-log] [--download-zip]
FlagDescription
--waitPoll until a terminal status is reached
--download-logSave the deployment log to ~/appian-exports/
--download-zipSave the package ZIP (export deployments only) to ~/appian-exports/

Examples

# Check immediately
node {baseDir}/scripts/index.js 208d489c-6f74-45f7-a48a-f0887fefeca9

# Wait for completion and download log
node {baseDir}/scripts/index.js 208d489c-6f74-45f7-a48a-f0887fefeca9 --wait --download-log

External endpoints

  • GET ${APPIAN_BASE_URL}/deployments/{uuid} — fetches deployment status
  • Artifact URLs returned by the API (log, ZIP) — downloaded only when flags are passed

Security

  • Credentials (APPIAN_BASE_URL, APPIAN_API_KEY) are read from environment variables (injected by OpenClaw at runtime). If not injected, the script falls back to an appian.json file in the current working directory.
  • Artifacts are saved only to ~/appian-exports/ — nothing is uploaded or sent to third parties.
  • No shell commands are executed; all operations use Node.js built-in APIs.

Comments

Loading comments...