Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Appian Export
v1.3.0Export an Appian application or package to a ZIP file by UUID. Use when the user wants to export, download, or back up an Appian application or package from...
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation. The only required environment variables are APPIAN_BASE_URL and APPIAN_API_KEY, which are appropriate for calling Appian's Deployment Management API. The code triggers an export, polls status, downloads a package ZIP, and writes it to disk — behaviour consistent with the stated purpose.
Instruction Scope
SKILL.md and scripts/index.js are aligned: they read credentials from environment (with an optional appian.json fallback), call the Appian endpoints listed, poll until completion, and save the ZIP locally. The instructions do not request unrelated files, unexpected network destinations, or arbitrary system scans. The appian.json lookup climbs up to 5 parent directories (documented in code), which is a reasonable convenience but means local repo config files could be used as fallbacks.
Install Mechanism
There is no install spec and the skill includes a small Node.js script. No remote downloads or archive extraction are performed by the skill itself. No package installation is requested by the registry metadata.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required (primaryEnv is APPIAN_BASE_URL). Both are necessary for API access; no unrelated secrets or broad permission scopes are requested. The script will also read an optional local appian.json file for these values if environment variables are not present.
Persistence & Privilege
The skill does not request persistent always-on presence (always:false). It writes exported ZIPs to ~/appian-exports/ and copies them into a local appian-exports/ folder in the current working directory; it does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: it uses APPIAN_BASE_URL and APPIAN_API_KEY to trigger an export, polls for completion, downloads the ZIP, and saves it to ~/appian-exports/ (and also copies it to ./appian-exports/). Before installing or running: (1) ensure the APPIAN_API_KEY you provide has the minimum privileges needed for exports; (2) be aware the script will read a local appian.json up to five parent directories if env vars are missing — avoid leaving credentials in repo files you don't want used; (3) exported ZIPs are written locally, so treat them like any sensitive backup; (4) the agent can invoke skills autonomously by default — if you don't want that, disable autonomous invocation for this skill in your agent settings. Overall the bundle is coherent with its purpose.scripts/index.js:33
Environment variable access combined with network send.
scripts/index.js:22
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
appianvk976g9ef3h9v6wyvvxtatgaddh84rjgcappian clawvk976g9ef3h9v6wyvvxtatgaddh84rjgcbare iovk976g9ef3h9v6wyvvxtatgaddh84rjgccowboy aivk976g9ef3h9v6wyvvxtatgaddh84rjgclatestvk976cdksbdt3v58xd1ddxewhyh84te2dlow codevk971s6ssndvqc13qk9t2kr8mrs84py45no codevk971s6ssndvqc13qk9t2kr8mrs84py45openclawvk976g9ef3h9v6wyvvxtatgaddh84rjgc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL