Security audit

Appian Listpkg

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised read-only Appian lookup, but it needs Review because it can automatically read local config files from parent directories and then send credentials to a configured URL while also claiming no file I/O.

Install only if you trust this publisher and will run it from a controlled directory. Set both APPIAN_BASE_URL and APPIAN_API_KEY explicitly, verify the base URL is your Appian environment, use a least-privileged read-only key if possible, and avoid running it in untrusted workspaces containing appian.json files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill uses sensitive capabilities (environment variables and network access) but does not explicitly declare permissions, which weakens security review and runtime governance. In this case the skill reads Appian credentials and makes outbound API calls, so missing permission declarations can lead to over-broad execution trust, reduced visibility, and accidental credential exposure paths such as the documented fallback to a local appian.json file.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The code and manifest state that the skill performs no file I/O, but credential validation walks parent directories and reads an `appian.json` file if present. This mismatch is security-relevant because operators and policy engines may trust the manifest to allow execution in contexts where disk access is supposed to be forbidden, enabling unintended local secret/config ingestion.

Scope Creep

Medium

Confidence: 96% confidence
Finding: The skill reads configuration from disk despite declaring `file-operations: none`, which breaks the stated permission boundary. In an agent environment, this can cause unauthorized access to local configuration files and accidental loading of attacker-placed `appian.json` files from the current or ancestor directories, changing the destination URL or credentials used for outbound requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/index.js:32