ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appian Missingdescr

v1.5.10

Audit Appian application objects for missing descriptions. Given an application UUID, reports every object whose description field is empty or absent.

0· 47·0 current·0 all-time
by@solarspiker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The requested environment variables (APPIAN_PROC_URL and APPIAN_RUNNER) are consistent with an Appian audit tool: APPIAN_PROC_URL could be the Appian endpoint and APPIAN_RUNNER a local Node script that performs the audit. However, registry metadata outside SKILL.md lists no required binaries while SKILL.md metadata declares 'node' as a required binary — this mismatch is an inconsistency in the manifest that should be corrected. The lack of source/homepage also reduces transparency.
!
Instruction Scope
Runtime instructions tell the agent to run: node $APPIAN_RUNNER missing-descr APPLICATION_UUID and then 'report the output verbatim.' Because the skill provides no code itself, APPIAN_RUNNER points to an external script that will be executed; that script could read arbitrary files, environment variables, or network endpoints and print sensitive data. Requiring verbatim reporting increases the likelihood of accidental exfiltration of secrets or sensitive Appian data.
Install Mechanism
There is no install spec (instruction-only), which limits what the skill writes to disk. That is lower risk in general, but the runtime behavior requires executing a potentially arbitrary local script (APPIAN_RUNNER) with Node — effectively delegating behavior to external code outside this skill's package. This is acceptable for a wrapper-style skill but should be documented and trusted.
Credentials
Only two environment variables are required, which is proportionate for an Appian audit: APPIAN_PROC_URL (primaryEnv) and APPIAN_RUNNER. However, APPIAN_RUNNER is effectively a pointer to executable code under the user's environment and thus grants the skill the ability to run arbitrary commands. The SKILL.md requires APPIAN_PROC_URL even though the run command doesn't reference it directly (it likely is consumed by the runner), which is reasonable but worth clarifying.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and does not modify other skills or system settings. It uses normal, on-demand invocation.
What to consider before installing
This skill appears coherent for auditing Appian descriptions, but exercise caution before installing: 1) Verify APPIAN_RUNNER points to a trusted Node script you control (review its contents), because the skill will run that script and print its output verbatim. 2) Be careful that the script does not print credentials, tokens, or other sensitive data — 'report verbatim' can lead to accidental leakage. 3) Confirm the 'node' binary is available (SKILL.md requires it) and ask the publisher to fix the manifest inconsistency if you rely on registry metadata. 4) If unsure, run the runner manually in an isolated/sandbox environment to see what it outputs before giving the agent permission to execute it automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk972k1tabantgf6bnh7cgebjxn84v3cv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
EnvAPPIAN_PROC_URL, APPIAN_RUNNER
Primary envAPPIAN_PROC_URL

Comments