apify-scrapers

The file is a functional specification and README for a Google Maps scraping tool. There is no direct evidence of malicious code, obfuscation, or immediate malware indicators in the provided text. However, the described architecture and workflow create realistic risks: leakage of APIFY_API_TOKEN, unauthorized exfiltration of personal contact data via integrations, cost abuse from high-volume runs, and potential Terms-of-Service or legal violations. Before using or integrating this tool, review the actual implementation for secure secret management (avoid committing tokens, use vaults/short-lived credentials), enforce least privilege, add PII minimization/redaction and retention policies, implement strict rate-limiting and bot-respectful behavior, and ensure legal compliance with target data sources.

[Skill Scanner] Natural language instruction to download and install from URL detected This skill is functionally coherent: its declared capabilities match the operations described and the required APIFY_TOKEN is expected for running Apify actors. The primary supply-chain risks come from reliance on many third-party Apify actors and the use of a single APIFY_TOKEN with broad privileges. That increases the blast radius if an actor is malicious or compromised. The documentation also highlights behaviors that are ethically/legal sensitive (bypassing robots.txt, scraping PII) and recommends proxy usage, which can route traffic through third parties. No direct evidence of malware or obfuscated/hidden payloads is present in this document, but the absence of the actual script code prevents a full verification; check scripts for credential forwarding, logging of tokens, network calls to non-Apify endpoints, and any code that executes arbitrary downloaded payloads before trusting the skill. Recommended mitigations: use separate Apify accounts with minimal funds/privileges, audit the referenced actor implementations, avoid sharing APIFY_TOKEN, and inspect scripts before running. Overall classification: medium supply-chain/security risk (vulnerable), low likelihood of direct malware based on provided files. LLM verification: This skill is coherent with its stated scraping purpose but presents non-trivial supply-chain and privacy risks. It legitimately requires an APIFY_TOKEN and accepts URLs/queries as input; however, it routinely invokes third-party Apify actors (many different authors) which means user data and a full-access token will be used by external actor code — a significant credential-forwarding and supply-chain exposure. The documentation also recommends proxy evasion and admits actors may bypass robots.t

The selected report correctly identifies the architecture, data flow, and security considerations of the scraper. The improved assessment adds specific security best practices (log masking, input validation, transfer/backoff, streaming) and clarifies storage implications. Overall risk remains low-to-moderate, driven by secret management and external API reliance. No malware indicators observed in this fragment.