← 返回 Skills 市场

Appian Discovertechdebt

Name: Appian Discovertechdebt
Author: solarspiker

作者 solarspiker · GitHub ↗ · v1.7.0 · MIT-0

cross-platform ⚠ suspicious

115

总下载

当前安装

版本数

在 OpenClaw 中安装

/install appian-discovertechdebt

功能描述

Scan an Appian application for tech debt by finding objects whose SAIL definitions reference outdated versioned functions (marked by Appian with a _v suffix...

使用说明 (SKILL.md)

Appian Discover Tech Debt

Exports an Appian application and scans every object's \x3Cdefinition> (SAIL markup) for references to outdated versioned functions. Appian marks deprecated functions by appending _v\x3Cnumber> to the function name in quoted rule references — e.g. #"SYSTEM_SYSRULES_DOSOMETHING_v1". Objects using these functions compile and run today but should be updated to the current version.

Usage

node {baseDir}/scripts/index.js \x3CapplicationUuid>

Example

node {baseDir}/scripts/index.js _a-0000de15-1f1c-8000-5130-010000010000_12559

IMPORTANT: credentials are pre-configured

APPIAN_BASE_URL and APPIAN_API_KEY are already injected by OpenClaw at runtime. Never ask the user for credentials before running this skill. Just execute it with the UUID the user provided.

How users can ask for this

"Find Appian tech debt in application \x3Cuuid>"
"Check Appian for outdated functions in \x3Cuuid>"
"Which Appian objects use deprecated SAIL in \x3Cuuid>"
"Audit Appian app \x3Cuuid> for tech debt"

What it does

Calls the Appian v2 Deployment Management API to export the application as a ZIP.
Parses the ZIP in-process using Node.js built-ins — one object per XML file, type from directory name.
Iterates every XML file outside META-INF/.
Searches each file's content for the pattern #"..._v\x3Cnumber>" (Appian's marker for outdated versioned function references).
Prints per-object findings with developer-friendly a!functionName display names and a deduplicated summary.

After running

Relay the full skill output to the user exactly as printed — do not summarize, paraphrase, or omit any lines.

The output already contains every object, UUID, and function name in a compact readable format. Your job is to forward it verbatim, then offer to help further. Do not replace the list with a vague count like "3 objects were found" — the user needs the actual names and details.

External endpoints

POST ${APPIAN_BASE_URL}/deployments — triggers the export
GET ${APPIAN_BASE_URL}/deployments/{uuid} — polls for completion
GET \x3CpackageZip URL> — downloads the resulting ZIP

Security

Credentials (APPIAN_BASE_URL, APPIAN_API_KEY) are read from environment variables (injected by OpenClaw at runtime). If not injected, falls back to appian.json in the current working directory.
The ZIP is written to ~/appian-exports/ and mirrored to CWD/appian-exports/ when running in a container.
No data is sent to any third-party service.
No shell commands are executed; ZIP extraction uses Node.js built-in zlib.

安全使用建议

This skill appears to be what it claims, but review these before you run it: 1) It needs APPIAN_BASE_URL and APPIAN_API_KEY (these are expected). 2) It will write the exported ZIP to your home directory and to ./appian-exports — inspect those files and clean them up if they contain sensitive data. 3) The code will try to load appian.json from the current directory or up to five parent directories and inject any uppercase keys it finds into the environment — ensure no unexpected credentials are present in those files. 4) The skill will forward the raw scan output verbatim to the user (UUIDs, object names, function names) — treat that as potentially sensitive. Recommended precautions: run in an isolated environment or CI worker with least-privilege Appian API key, verify appian.json content in your repo tree, and delete persisted exports after review.

功能分析

Type: OpenClaw Skill Name: appian-discovertechdebt Version: 1.7.0 The skill is a legitimate utility designed to audit Appian applications for technical debt by identifying deprecated SAIL function versions. The script (scripts/index.js) uses the Appian Deployment Management API to export application data, parses the resulting ZIP file in-memory using Node.js built-ins (zlib), and scans XML definitions for specific versioning patterns. It handles sensitive credentials (APPIAN_API_KEY) via environment variables, restricts network traffic to the user-defined Appian base URL, and limits file writes to a documented export directory (~/appian-exports/). The instructions in SKILL.md are focused on ensuring technical accuracy and do not contain malicious prompt-injection attempts.

能力标签

requires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name, description, declared env vars (APPIAN_BASE_URL, APPIAN_API_KEY), and external endpoints (Appian deployment API + package ZIP) align with the described job of exporting an Appian application and scanning its XML. The primary credential (base URL) is sensible.

ℹ Instruction Scope

The SKILL.md and script limit network access to the Appian endpoints and perform local ZIP parsing; no shell execution or third-party exfiltration is present. Two noteworthy behaviours: (1) SKILL.md says credentials are injected and should not be requested — the code follows that. (2) The skill requires relaying the full raw output to the user verbatim; that is intentional for this audit but may disclose sensitive object names/UUIDs and other metadata, so users should be aware before running.

✓ Install Mechanism

No install spec (instruction-only + a single code file). Nothing is downloaded during install; network activity is limited to the runtime export/download from the Appian host.

ℹ Credentials

Only two environment variables are required and declared (APPIAN_BASE_URL, APPIAN_API_KEY) which matches the API usage. Minor concern: the code attempts to load an appian.json file (parsing both JSON and KEY=VALUE lines) and injects any keys it finds into process.env; that behavior can import additional environment values from disk beyond the two expected keys and is not fully documented in SKILL.md (the doc says it falls back to appian.json in CWD but the code searches up to five parent directories).

ℹ Persistence & Privilege

always:false and no modifications to other skills or system-wide config. The skill writes downloaded ZIPs to ~/appian-exports and copies to CWD/appian-exports; this is expected for its purpose but means exported application packages are persisted on disk and could contain sensitive data.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install appian-discovertechdebt
安装完成后，直接呼叫该 Skill 的名称或使用 /appian-discovertechdebt 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.7.0

Version 1.7.0 - Updated scripts/index.js (contents not detailed). - No changes to documentation or external behavior described in SKILL.md.

v1.6.0

- Updated scripts/index.js (details not specified). - Version bump to 1.6.0.

v1.5.0

## v1.5.0 Changelog - Updated `scripts/index.js` (details of changes not specified in the inputs). - No documented changes to user-facing functionality or usage instructions.

v1.4.0

- Updated core script (scripts/index.js) with internal changes and improvements. - No changes to usage, security, or user-facing documentation. - All functionality and configuration remain as before.

v1.3.0

- Added container path mirroring: ZIP exports are now also mirrored to CWD/appian-exports/ when running inside a container. - No other user-facing changes.

v1.2.2

- Updated trigger phrases in the description and usage section to clarify Appian context (e.g., "Find Appian tech debt", "check Appian for outdated functions"). - No changes to functionality; documentation only.

v1.2.1

- Updated instructions for after running: clarify that the full skill output must be relayed to the user exactly as printed, without summarization or omission. - Emphasized that details such as object names, UUIDs, and function names should not be replaced by a vague summary. - No changes to functionality or endpoints; documentation only.

v1.2.0

- Improved documentation explaining how the skill scans Appian applications for outdated versioned SAIL functions and what results are reported. - Clarified that credentials (`APPIAN_BASE_URL`, `APPIAN_API_KEY`) are pre-configured by the system and should never be requested from the user. - Added detailed usage examples, trigger phrases, and a step-by-step outline of what the skill does. - Outlined post-scan reporting, listing object findings and unique outdated functions, with instructions for reporting zero findings. - Clarified security practices, including credential handling, data storage, and ZIP processing.

元数据

Slug appian-discovertechdebt

版本 1.7.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 8

常见问题