Trust Assessment
apify-actor-development received a trust score of 26/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Direct execution of remote installation script (Linux/macOS).
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The static_code_analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 0ea3e009). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-4i91qrxv/repo/skills/apify-actor-development/SKILL.md:24 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-4i91qrxv/repo/skills/apify-actor-development/SKILL.md:24 | |
| MEDIUM | Direct execution of remote installation script (Linux/macOS) The skill instructs the user/agent to install the Apify CLI by directly piping a remote shell script from `https://apify.com/install-cli.sh` to `bash`. This method bypasses package manager integrity checks and version pinning, introducing a supply chain risk. If the remote server hosting the script were compromised, malicious code could be executed on the system where the agent operates without prior review or validation. Prefer installation methods that use trusted package managers (e.g., `npm`, `brew`) with built-in integrity checks and version pinning. If direct script execution is necessary, advise the user/agent to review the script content before execution and ensure the source is trusted and secured. Implement sandboxing for such operations if executed by an agent. | Unknown | SKILL.md:28 | |
| MEDIUM | Direct execution of remote installation script (Windows) The skill instructs the user/agent to install the Apify CLI on Windows by piping a remote PowerShell script from `https://apify.com/install-cli.ps1` to `iex` (Invoke-Expression). This method bypasses package manager integrity checks and version pinning, introducing a supply chain risk. If the remote server hosting the script were compromised, malicious code could be executed on the system where the agent operates without prior review or validation. Prefer installation methods that use trusted package managers (e.g., `npm`) with built-in integrity checks and version pinning. If direct script execution is necessary, advise the user/agent to review the script content before execution and ensure the source is trusted and secured. Implement sandboxing for such operations if executed by an agent. | Unknown | SKILL.md:31 |
Scan History
Embed Code
[](https://skillshield.io/report/da2d3e208014cfe6)
Powered by SkillShield