ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Inspectpkg

v1.1.0

Inspect an Appian package ZIP against the target environment to identify errors or warnings before deploying. Use before appian-deploy to validate a package.

0· 82·0 current·0 all-time
by@solarspiker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env vars (APPIAN_BASE_URL, APPIAN_API_KEY), SKILL.md, and the included Node script all align: the script uploads a user-supplied ZIP to the Appian inspections endpoint and polls for results. No unrelated credentials or binaries are requested.
Instruction Scope
Instructions and code stay within the stated scope (read package ZIP, optionally read customization file, read Appian creds, POST to /inspections and poll). Minor mismatch: SKILL.md says the script falls back to an appian.json in the current working directory, but the code searches up to 5 parent directories for appian.json — this could cause it to load credentials from higher-level project dirs unintentionally.
Install Mechanism
No install spec; the skill is instruction-only with an included script. Nothing is downloaded or extracted at install time, which minimizes installation risk.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required (appropriate for the API used). Caveat: the script will populate environment variables from an appian.json it finds (current dir or up to 5 parent dirs), so it may read local config files containing other values if such a file exists.
Persistence & Privilege
Skill is not always-enabled, requests no persistent platform-level privileges, and does not modify other skills or system-wide configuration.
Assessment
This skill appears to do what it says: upload a package ZIP to your Appian environment's /inspections endpoint and show results. Before installing or running it: 1) verify APPIAN_BASE_URL points to the intended Appian environment (avoid running against production unless you intend to); 2) use an API key scoped with the minimum permissions required for inspections; 3) check for any appian.json files in the current or parent directories (the script searches up to 5 levels) to ensure it won't pick up unexpected credentials; 4) review scripts/index.js yourself if you want to confirm there are no additional network calls in your copy; and 5) run the script in a Node environment with the expected globals (fetch/FormData/Blob) or adapt it accordingly.
scripts/index.js:32
Environment variable access combined with network send.
!
scripts/index.js:21
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

appianvk977bfzxm922gy02swzq5sh34n84stvzappian clawvk977bfzxm922gy02swzq5sh34n84stvzbare iovk977bfzxm922gy02swzq5sh34n84stvzcowboy aivk977bfzxm922gy02swzq5sh34n84stvzlatestvk977s0ka0jwqg06y7r9aq5saz584vdf5low codevk979f495t94x3jh3hkac9vrr7184p349no codevk979f495t94x3jh3hkac9vrr7184p349openclawvk977bfzxm922gy02swzq5sh34n84stvz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL

Comments