apify-lead-generation
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or behaviors detected. The skill performs its stated purpose of scraping leads through the Apify platform.
- [CREDENTIALS_UNSAFE]: Follows security best practices by instructing the user to manage the Apify API token via a
.envfile instead of hardcoding credentials. - [EXTERNAL_DOWNLOADS]: References the official
@apify/mcpctool from the npm registry, which is an expected dependency for Apify integrations. - [PROMPT_INJECTION]: The skill processes external data scraped from the web via Apify Actors, creating a surface for indirect prompt injection.
- Ingestion points: Actor results are downloaded from Apify datasets in
reference/scripts/run_actor.js. - Boundary markers: Uses simple text delimiters (e.g.,
===,---) in console output, providing basic separation for the agent. - Capability inventory: The skill can write to the local filesystem using
writeFileSyncand perform network requests toapi.apify.comviafetch. - Sanitization: The helper script truncates long fields to prevent context overflow but does not implement specific sanitization for LLM instructions. This is a low-risk surface inherent to the skill's primary purpose.
Audit Metadata