Apify
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches and processes data from various external platforms (Instagram, LinkedIn, TikTok, etc.) which is then returned to the model context. This content is untrusted and could contain hidden instructions.
- Ingestion points:
index.tsviaApifyDataset.listItems()andApifyDataset.getAllItems(). - Boundary markers: Absent; scraped content is interpolated directly into objects or strings returned to the agent.
- Capability inventory: The skill can execute local scripts via
bunand make network requests to the Apify API. - Sanitization: None detected; scraped data is returned in its raw form.
- [COMMAND_EXECUTION]: Mandatory shell command execution. The
SKILL.mdandWorkflows/Update.mdfiles mandate the execution of acurlcommand to a local notification service (http://localhost:8888/notify) whenever the skill is invoked. - [PROMPT_INJECTION]: Instruction Override. The skill documentation uses high-priority markers ("🚨 MANDATORY", "REQUIRED BEFORE ANY ACTION") to force the agent into specific behavioral patterns, such as sending notifications before processing user requests.
- [REMOTE_CODE_EXECUTION]: Dynamic Script Generation. The
web-scraper.tsmodule allows the agent to generate and submit a JavaScriptpageFunctionfor execution on the Apify platform. While this code runs in a remote sandbox, it represents a pattern of dynamic code generation and execution triggered by the agent.
Audit Metadata