apify-lead-generation

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill is coherent with its stated purpose: it asks for an APIFY_TOKEN, shows how to fetch actor schemas and run Apify actors, and exports results. There is no code-level sign of obfuscation, hidden backdoors, or direct credential harvesting beyond the expected use of APIFY_TOKEN to call Apify APIs. The primary risks are misuse (privacy, legal/ToS violations) and the inherent trust needed to run third-party Apify actors (those actors could themselves perform additional unwanted actions or store scraped data). Recommend: ensure APIFY_TOKEN is handled safely (avoid exporting on shared shells), review run_actor.js and any third-party actor README/source before running, and ensure scraping actions comply with law/platform policies. LLM verification: The skill's functionality matches its stated purpose of orchestrating Apify Actors to collect leads. There is no direct evidence of embedded malware or obfuscation in the provided documentation. Primary risks are operational and privacy-related: the APIFY_TOKEN grants broad control and should be treated as sensitive, and reliance on third-party actor implementations increases potential for data exfiltration or misuse. Recommend auditing run_actor.js and any actor source code before use, using a