▥AGENT LAB: SKILLS — FEB 26 NYCAGENT LAB: SKILLS

skills/apify/agent-skills/apify-competitor-intelligence/Snyk

apify-competitor-intelligence

Warn

Audited by Snyk on Feb 17, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). This skill runs Apify scrapers against public third-party sites (e.g., Google Maps, Booking.com, Facebook, Instagram, YouTube, TikTok via listed Actor IDs) and then downloads/displays the scraped dataset items from Apify (see downloadResults/displayQuickAnswer and the console.apify.com dataset URL), so the agent ingests untrusted user-generated content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill makes runtime calls to https://api.apify.com (e.g., POST to /v2/acts/... to start actor runs, polling /v2/actor-runs/... and fetching /v2/datasets/.../items), which launches and interacts with remote Apify Actors (i.e., executes remote code) and is a required runtime dependency for the skill.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 17, 2026, 10:25 PM