apify-audience-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands and a local JavaScript utility (run_actor.js) to manage the audience analysis workflow and interface with the Apify API.
- [EXTERNAL_DOWNLOADS]: The workflow documentation directs users to install @apify/mcpc, which is a legitimate CLI tool provided by Apify, a well-known service for web scraping and automation.
- [CREDENTIALS_UNSAFE]: The skill requires a user-provided APIFY_TOKEN for authentication. While it is stored in a .env file per common practice, it is sensitive and handled throughout the execution flow.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of data from social media platforms.
- Ingestion points: Data is retrieved from Apify datasets and processed in reference/scripts/run_actor.js.
- Boundary markers: The instructions do not define delimiters or specific safety markers to prevent the agent from interpreting social media content as commands.
- Capability inventory: The skill can write data to the local file system (using writeFileSync) and present information to the user.
- Sanitization: The implementation focuses on formatting for CSV/JSON and does not include logic to sanitize data against malicious prompts embedded in external content.
Audit Metadata