← 返回 Skills 市场

Appian Deploymtstatus

Name: Appian Deploymtstatus
Author: solarspiker

作者 solarspiker · GitHub ↗ · v1.2.0 · MIT-0

cross-platform ⚠ suspicious

110

总下载

当前安装

版本数

在 OpenClaw 中安装

/install appian-deploymtstatus

功能描述

Check the status of an Appian deployment by UUID and optionally download its artifacts (log, package ZIP). Use after appian-export or appian-deploy to monito...

使用说明 (SKILL.md)

Appian Status

Retrieves the current status and artifact URLs for any Appian deployment using the v2 Deployment Management API. Supports optional polling and artifact download.

Usage

node {baseDir}/scripts/index.js \x3CdeploymentUuid> [--wait] [--download-log] [--download-zip]

Flag	Description
`--wait`	Poll until a terminal status is reached
`--download-log`	Save the deployment log to `~/appian-exports/`
`--download-zip`	Save the package ZIP (export deployments only) to `~/appian-exports/`

Examples

# Check immediately
node {baseDir}/scripts/index.js 208d489c-6f74-45f7-a48a-f0887fefeca9

# Wait for completion and download log
node {baseDir}/scripts/index.js 208d489c-6f74-45f7-a48a-f0887fefeca9 --wait --download-log

External endpoints

GET ${APPIAN_BASE_URL}/deployments/{uuid} — fetches deployment status
Artifact URLs returned by the API (log, ZIP) — downloaded only when flags are passed

Security

Credentials (APPIAN_BASE_URL, APPIAN_API_KEY) are read from environment variables (injected by OpenClaw at runtime). If not injected, the script falls back to an appian.json file in the current working directory.
Artifacts are saved only to ~/appian-exports/ — nothing is uploaded or sent to third parties.
No shell commands are executed; all operations use Node.js built-in APIs.

安全使用建议

This skill appears to do what it says: it will call your Appian instance at APPIAN_BASE_URL using APPIAN_API_KEY and can save logs/ZIPs to ~/appian-exports when asked. Before installing/using it: (1) confirm you trust the APPIAN_BASE_URL you provide, (2) store APPIAN_API_KEY securely (the script reads it from env or appian.json), (3) check for any appian.json files in the current or parent directories you run this from—the script will load keys from up to 5 parent dirs and inject them into the environment, which could unintentionally surface or override values, and (4) if you expect primaryEnv to be the secret, consider that the skill marks the base URL as primaryEnv (this is informational only). If those behaviors are acceptable, the skill is coherent and safe to use in typical contexts.

功能分析

Type: OpenClaw Skill Name: appian-deploymtstatus Version: 1.2.0 The skill 'appian-deploymtstatus' contains security vulnerabilities in 'scripts/index.js' that pose a risk to the user's environment. Specifically, the 'downloadArtifact' function is vulnerable to path traversal because it joins the user's home directory with an unsanitized filename extracted directly from the 'content-disposition' HTTP header. Additionally, the script sends the 'APPIAN_API_KEY' to any artifact URL returned by the Appian API without validating the destination domain, which could lead to credential exfiltration if the API response is manipulated. While these appear to be unintentional flaws rather than malicious intent, they represent significant security risks.

能力标签

requires-sensitive-credentials

能力评估

✓ Purpose & Capability

The requested environment variables (APPIAN_BASE_URL, APPIAN_API_KEY) and the included script align with the stated purpose of querying Appian deployment status and optionally downloading artifacts. No unrelated services, binaries, or credentials are requested.

ℹ Instruction Scope

SKILL.md states credentials fall back to an appian.json in the current working directory; the script actually searches up to 5 parent directories for appian.json and will load any key/value pairs found into process.env if those env vars are not already set. This is a minor scope expansion that could read unexpected local config files—worth reviewing appian.json files in parent dirs before running.

✓ Install Mechanism

There is no install spec (instruction-only) and the included Node.js script runs locally. No downloads from untrusted URLs, no package managers invoked, and no extract/write of external archives during an install step.

ℹ Credentials

Only APPIAN_BASE_URL and APPIAN_API_KEY are required, which is proportional. Two small points: (1) the manifest lists APPIAN_BASE_URL as the primaryEnv (the API key is the secret credential — this is not dangerous but is slightly odd), and (2) loading arbitrary keys from appian.json into process.env could expose or override other local values if such files contain unexpected entries.

✓ Persistence & Privilege

The skill does not request permanent/always-on presence, does not modify other skills or system-wide agent settings, and only writes files to a user-owned directory (~/appian-exports) when download flags are used.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install appian-deploymtstatus
安装完成后，直接呼叫该 Skill 的名称或使用 /appian-deploymtstatus 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

- Updated to version 1.2.0. - scripts/index.js modified (details not provided). - No visible user-facing changes to documentation.

v1.1.0

Fix: use appian.json env fallback (consistent with other skills); save artifacts to ~/appian-exports/ instead of ~/.openclaw/exports/; correct security section in SKILL.md

v1.0.0

Initial release of appian-deploymtstatus. - Check the status of an Appian deployment using its UUID. - Optionally poll for status updates until completion. - Download deployment log and package ZIP artifacts with flags. - Credentials are securely read from environment variables only. - All files are saved locally; no data is uploaded externally.

元数据

Slug appian-deploymtstatus

版本 1.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题