Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Appian Discovertechdebt
v1.7.0Scan an Appian application for tech debt by finding objects whose SAIL definitions reference outdated versioned functions (marked by Appian with a _v suffix...
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, declared env vars (APPIAN_BASE_URL, APPIAN_API_KEY), and external endpoints (Appian deployment API + package ZIP) align with the described job of exporting an Appian application and scanning its XML. The primary credential (base URL) is sensible.
Instruction Scope
The SKILL.md and script limit network access to the Appian endpoints and perform local ZIP parsing; no shell execution or third-party exfiltration is present. Two noteworthy behaviours: (1) SKILL.md says credentials are injected and should not be requested — the code follows that. (2) The skill requires relaying the full raw output to the user verbatim; that is intentional for this audit but may disclose sensitive object names/UUIDs and other metadata, so users should be aware before running.
Install Mechanism
No install spec (instruction-only + a single code file). Nothing is downloaded during install; network activity is limited to the runtime export/download from the Appian host.
Credentials
Only two environment variables are required and declared (APPIAN_BASE_URL, APPIAN_API_KEY) which matches the API usage. Minor concern: the code attempts to load an appian.json file (parsing both JSON and KEY=VALUE lines) and injects any keys it finds into process.env; that behavior can import additional environment values from disk beyond the two expected keys and is not fully documented in SKILL.md (the doc says it falls back to appian.json in CWD but the code searches up to five parent directories).
Persistence & Privilege
always:false and no modifications to other skills or system-wide config. The skill writes downloaded ZIPs to ~/appian-exports and copies to CWD/appian-exports; this is expected for its purpose but means exported application packages are persisted on disk and could contain sensitive data.
Assessment
This skill appears to be what it claims, but review these before you run it: 1) It needs APPIAN_BASE_URL and APPIAN_API_KEY (these are expected). 2) It will write the exported ZIP to your home directory and to ./appian-exports — inspect those files and clean them up if they contain sensitive data. 3) The code will try to load appian.json from the current directory or up to five parent directories and inject any uppercase keys it finds into the environment — ensure no unexpected credentials are present in those files. 4) The skill will forward the raw scan output verbatim to the user (UUIDs, object names, function names) — treat that as potentially sensitive. Recommended precautions: run in an isolated environment or CI worker with least-privilege Appian API key, verify appian.json content in your repo tree, and delete persisted exports after review.scripts/index.js:36
Environment variable access combined with network send.
scripts/index.js:25
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973h7dzv47h4cxg949b6d1vs584tf04
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔧 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL