Appian Missingdescr
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill's behavior ultimately depends on whatever local runner is configured, which was not reviewed here.
The skill depends on a local Node runner referenced by `APPIAN_RUNNER`, but no runner code or install specification is included in the reviewed artifacts.
requires:\n env:\n - APPIAN_PROC_URL\n - APPIAN_RUNNER\n binaries:\n - node
Use only a reviewed, trusted `APPIAN_RUNNER` path and keep the runner source/version clear.
Running the skill executes the configured local Node runner with the user's environment permissions.
The documented workflow executes a local Node script from an environment variable. This is purpose-aligned for a runner-based skill, but it is still local code execution.
node $APPIAN_RUNNER missing-descr APPLICATION_UUID
Confirm that `APPIAN_RUNNER` points to the intended trusted script before invoking the skill.
The command may read and report Appian application object metadata for the provided UUID.
The skill uses an Appian environment endpoint to audit application object metadata. That access is aligned with the stated purpose, but it depends on the user's configured Appian access.
Both `APPIAN_PROC_URL` and `APPIAN_RUNNER` must be set in your environment before running.
Use an Appian environment/account authorized for the target application and avoid running it against apps whose metadata should not be exposed in the chat output.