Trust Assessment
apify-competitor-intelligence received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Path Traversal via unsanitized output file path.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 0ea3e009). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal via unsanitized output file path The `run_actor.js` script allows users to specify an output file path via the `--output` command-line argument. This argument (`outputPath`) is extracted from user input and is highly likely used directly in a `writeFileSync` call (indicated by the `writeFileSync` import and the script's purpose) without proper sanitization. An attacker could use path traversal sequences (e.g., `../`) in the `--output` value to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious executables. Sanitize the `outputPath` argument before using it in `writeFileSync`. Ensure that the path is confined to an allowed directory, for example, by resolving it against a base directory and checking that the resolved path remains within that directory, or by extracting only the basename of the provided path to prevent directory traversal. | Unknown | reference/scripts/run_actor.js:21 |
Scan History
Embed Code
[](https://skillshield.io/report/67d58e6b60e97f1d)
Powered by SkillShield