Appian Unnamedobjects

Security checks across malware telemetry and agentic risk

Overview

This Appian auditing skill does what it says, but it handles sensitive Appian credentials and exported application data with scoping gaps users should review first.

Review before installing. Use a least-privileged Appian API key, run it only from a trusted directory, check for unintended appian.json files in parent directories, and delete appian-exports files after use if the exported application data should not remain on disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill writes exported Appian ZIP data to local disk, which may contain sensitive application metadata, but the user-facing description does not prominently warn about this persistence behavior. This creates a data-handling risk because operators may run the skill without understanding that potentially sensitive exports will remain on disk and could be accessed later by other users or processes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal