Security Audit

apify-brand-reputation-monitoring

github.com/apify/agent-skills

AI SkillCommit 0ea3e0099fde

CRITICAL

Scanned 8 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

apify-brand-reputation-monitoring received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection via unvalidated Actor ID in mcpc command, Command Injection via unvalidated arguments in Node.js script execution, Path Traversal / Arbitrary File Write via unvalidated output path.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. The static_code_analysis layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 0ea3e009). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

33%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

5 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Command Injection via unvalidated Actor ID in mcpc command The skill instructs the LLM to execute a shell command that directly substitutes the `ACTOR_ID` into the `mcpc` command's `actor:=` argument. If the `ACTOR_ID` contains shell metacharacters (e.g., `" && rm -rf /`), an attacker could inject and execute arbitrary shell commands on the host system. The `mcpc` command is executed via `tools-call`, which implies direct shell execution. Sanitize or strictly validate `ACTOR_ID` before embedding it into shell commands. Prefer passing arguments via environment variables or dedicated tool APIs that do not involve shell interpretation. If shell execution is unavoidable, use proper escaping mechanisms (e.g., `shlex.quote` in Python, `JSON.stringify` for string arguments if the tool expects JSON).	Unknown	SKILL.md:50
HIGH	Command Injection via unvalidated arguments in Node.js script execution The skill instructs the LLM to execute a Node.js script (`run_actor.js`) with arguments `--actor "ACTOR_ID"` and `--input 'JSON_INPUT'`. If the `ACTOR_ID` or `JSON_INPUT` values, which are expected to be filled by the LLM (potentially from user input), contain shell metacharacters (e.g., `"` or `'` to break out of quotes, or `$(...)` for command substitution), an attacker could inject and execute arbitrary shell commands or arbitrary arguments to the Node.js script. Although `node:util.parseArgs` is used, the vulnerability lies in the shell's parsing of the command string before Node.js receives the arguments. Ensure all user-controlled inputs passed as arguments to shell commands are properly escaped for the shell. For string arguments, use `shlex.quote` (Python equivalent) or similar functions to prevent shell metacharacter interpretation. Alternatively, pass complex data via temporary files or environment variables rather than direct command-line arguments.	Unknown	SKILL.md:69
HIGH	Path Traversal / Arbitrary File Write via unvalidated output path The skill instructs the LLM to execute a Node.js script (`run_actor.js`) with an `--output YYYY-MM-DD_OUTPUT_FILE.csv` argument. The `run_actor.js` script uses the value of this argument directly in `writeFileSync` without path validation or sanitization. If the LLM (potentially influenced by user input) provides a path like `../../../etc/passwd` or `/tmp/malicious.sh`, an attacker could write to arbitrary files on the host system, leading to data corruption, privilege escalation, or remote code execution. Implement strict path validation for the `--output` argument. Restrict output paths to a designated, non-sensitive directory. Sanitize user-provided filenames to prevent directory traversal sequences (e.g., `../`, `/`). Consider using a UUID or a hash for filenames to prevent collisions and ensure uniqueness.	Unknown	SKILL.md:75
MEDIUM	Unpinned dependency in global npm install The skill instructs `npm install -g @apify/mcpc` without specifying a version. This means the latest version of `mcpc` will be installed. If a malicious update to `mcpc` is published, it could be automatically installed and executed, leading to supply chain compromise. Global installations further increase the risk by making the package available system-wide. Pin the dependency to a specific version (e.g., `npm install -g @apify/mcpc@1.2.3`) to ensure reproducible and secure installations. Regularly review and update pinned versions after verifying their integrity. Avoid global installations where possible, or use isolated environments.	Unknown	SKILL.md:15
INFO	APIFY_TOKEN exposed in shell environment via `grep \| xargs` The `mcpc` command uses `export $(grep APIFY_TOKEN .env \| xargs)` to load the API token. While this is a common method for loading environment variables, it exposes the `APIFY_TOKEN` directly in the shell environment and potentially in shell history (depending on the shell configuration and execution environment). This increases the risk of the token being inadvertently logged or accessed by other processes if the environment is not sufficiently secured. Prefer methods that load environment variables directly without exposing them to shell history or intermediate commands, such as using `dotenv` libraries within the Node.js script or relying on the `--env-file` flag for Node.js 20.6+ where applicable. Ensure the execution environment is configured to prevent logging of sensitive environment variables or commands.	Unknown	SKILL.md:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/038a793b9a6b01b0.svg)](https://skillshield.io/report/038a793b9a6b01b0)