Trust Assessment
apify-competitor-intelligence received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Path Traversal via unsanitized output file path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 0ea3e009). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal via unsanitized output file path The `run_actor.js` script allows users to specify an output file path via the `--output` command-line argument. This argument (`outputPath`) is extracted from user input and is highly likely used directly in a `writeFileSync` call (indicated by the `writeFileSync` import and the script's purpose) without proper sanitization. An attacker could use path traversal sequences (e.g., `../`) in the `--output` value to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious executables. Sanitize the `outputPath` argument before using it in `writeFileSync`. Ensure that the path is confined to an allowed directory, for example, by resolving it against a base directory and checking that the resolved path remains within that directory, or by extracting only the basename of the provided path to prevent directory traversal. | LLM | reference/scripts/run_actor.js:21 |
Scan History
Embed Code
[](https://skillshield.io/report/67d58e6b60e97f1d)
Powered by SkillShield