apify-ecommerce
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to scrape external, attacker-controlled websites (Amazon, Walmart, eBay, etc.).
- Ingestion points: Data is pulled from external URLs into the agent's context via the
run_actor.jsscript (as described inSKILL.md). - Boundary markers: None. There are no instructions to the agent to ignore instructions embedded in the scraped product titles, descriptions, or customer reviews.
- Capability inventory: The skill uses
nodeto execute scripts, writes files (.csv,.json), and can execute shell commands for workflow steps. - Sanitization: None. The skill directly processes and summarizes external content (Workflow 1 & 2).
- [Remote Code Execution] (MEDIUM): The skill executes an Apify 'Actor' (
apify/e-commerce-scraping-tool). While Apify is a known platform, the skill dynamically passes user-defined JSON input to a remote execution environment. - [Command Execution] (LOW): The skill provides templates for shell commands to run Node.js scripts. While these scripts are local, they use the
--env-fileflag to load credentials, which is a standard but sensitive operation. - [Credential Exposure] (INFO): The skill documentation explicitly points to the location of sensitive credentials (
~/.claude/.envcontainingAPIFY_TOKEN). While not a leak of the token itself, it provides a roadmap for an attacker to locate API keys if they gain file system access.
Recommendations
- AI detected serious security threats
Audit Metadata