apify-audience-analysis
Warn
Audited by Snyk on Apr 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill runs Apify actors that scrape public social platforms (see SKILL.md actor list: Facebook/Instagram/YouTube/TikTok) and its run_actor.js explicitly fetches and downloads dataset items from https://api.apify.com/v2/datasets/... (downloadResults/displayQuickAnswer) and also fetches actor schemas via mcpc from mcp.apify.com, so untrusted, user-generated third‑party content is ingested and then read/summarized by the agent as part of its workflow—allowing embedded instructions to influence outputs.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill invokes Apify API endpoints at runtime (e.g., https://api.apify.com/v2/acts/{author~actor}/runs?token=...) to start third-party Actors that execute remote code and are required for the skill to operate.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata