Appian Inspectpkg

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the disclosed Appian package inspection workflow, with credential and file-upload risks that are expected for that purpose.

Before installing, confirm APPIAN_BASE_URL points to the intended Appian environment, use a least-privilege APPIAN_API_KEY, and pass only the ZIP and customization file you intend to inspect. Avoid running it from a directory tree containing an unintended appian.json, because the script may load credentials from nearby parent directories if env vars are not already set.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no explicit permissions while its documented behavior clearly requires environment-variable access and outbound network access to the Appian API. This mismatch can weaken security review and policy enforcement because users and platforms may not realize the skill can read credentials and transmit package contents externally.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal