apify-actor-development
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill provides clear security guidance for managing the
APIFY_TOKEN, specifically recommending the use of environment variables and scoped tokens while warning against passing secrets via command-line arguments. - [EXTERNAL_DOWNLOADS]: The documentation instructs users to install the Apify CLI via trusted package managers (
npm,brew) and includes an explicit security warning against insecure patterns like piping remote scripts to a shell (curl | bash). - [PROMPT_INJECTION]: The skill correctly identifies the risk of indirect prompt injection from crawled web content, providing mandatory rules for sanitizing data and treating external content as untrusted input.
- [COMMAND_EXECUTION]: Best practices in the skill explicitly forbid passing raw scraped content to shell commands,
eval(), or code-generation functions, mitigating potential injection vulnerabilities. - [REMOTE_CODE_EXECUTION]: The skill encourages the use of lockfiles (
package-lock.json) and version pinning inrequirements.txtto ensure reproducible and integrity-checked builds, reducing supply-chain risk.
Audit Metadata