Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Appian Unnamedobjects
v1.3.0Find Appian application objects that are missing a description. Exports the application, scans all object XML files, and reports name and UUID for each objec...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description ask to export an Appian application and scan XML files; the skill only requires APPIAN_BASE_URL and APPIAN_API_KEY and the code calls Appian deployment endpoints and downloads the package ZIP as described — these requirements are proportionate to the declared purpose.
Instruction Scope
SKILL.md and the script keep behavior within the stated audit scope (trigger export, poll, download ZIP, scan XML entries). However the instructions insist the agent 'relay the full skill output verbatim' which increases the chance of exposing sensitive information if the export contains secrets or sensitive metadata. The runtime also falls back to reading appian.json for credentials if environment variables are not present.
Install Mechanism
No install spec (instruction-only skill with a single Node script). Nothing is downloaded from unknown third-party URLs by the skill itself beyond the Appian package ZIP; low install risk.
Credentials
Only APPIAN_BASE_URL and APPIAN_API_KEY are required, which matches the API calls the skill performs. As a caveat, the script looks for an appian.json file up to 5 parent directories as a fallback and will populate process.env from it — this is reasonable but means local files containing credentials may be read if env vars are missing.
Persistence & Privilege
always is false and the skill does not alter other skills. It persists downloaded exports to ~/appian-exports and copies them into CWD/appian-exports when in a container; exported ZIPs therefore remain on-disk and may contain sensitive data. This persistent storage is expected for the stated purpose but is worth noting.
Assessment
This skill appears to do what it claims: it uses your APPIAN_BASE_URL and APPIAN_API_KEY to export an application and scan XML files for empty/missing <description> tags. Before installing, consider: 1) The exported ZIP is written to your home directory and a copy to the current working directory — the package may contain sensitive data, so run in a safe/isolated workspace or clean up files after use. 2) The skill will read appian.json from the current directory or parent directories as a fallback, so ensure no unexpected credential files are present. 3) The SKILL.md requires the agent to forward the full raw output verbatim — be aware that this could expose sensitive object names or contents to whoever receives the output. 4) Limit the API key's scope where possible and rotate it if you decide to stop trusting the skill. 5) If you need higher assurance, review the full script in a sandbox or run it manually with a throwaway account first.scripts/index.js:35
Environment variable access combined with network send.
scripts/index.js:24
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4terem2anyyfn4nfnsg4dx84vjxf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔎 Clawdis
EnvAPPIAN_BASE_URL, APPIAN_API_KEY
Primary envAPPIAN_BASE_URL