Trust Assessment
apify-ultimate-scraper received a trust score of 45/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 1 medium, and 1 low severity. Key findings include Potential Command Injection via LLM-generated shell arguments, Arbitrary File Write via `--output` argument, APIFY_TOKEN exposed in URL query parameters.
The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The static_code_analysis layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 0ea3e009). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via LLM-generated shell arguments The skill instructs the LLM to construct shell commands by directly embedding user-controlled or LLM-generated values (e.g., `SEARCH_KEYWORDS`, `ACTOR_ID`, `JSON_INPUT`) without explicit sanitization or escaping. If the LLM fails to properly quote or escape these values, an attacker could inject arbitrary shell commands by crafting malicious input that breaks out of the intended string context. Instruct the LLM to always sanitize and properly quote/escape any user-provided or LLM-generated strings before embedding them into shell commands. For example, use `shlex.quote()` or similar mechanisms if available, or explicitly instruct the LLM to wrap arguments in single quotes and escape any internal single quotes. | Unknown | SKILL.md:125 | |
| HIGH | Potential Command Injection via LLM-generated shell arguments The skill instructs the LLM to construct shell commands by directly embedding user-controlled or LLM-generated values (e.g., `SEARCH_KEYWORDS`, `ACTOR_ID`, `JSON_INPUT`) without explicit sanitization or escaping. If the LLM fails to properly quote or escape these values, an attacker could inject arbitrary shell commands by crafting malicious input that breaks out of the intended string context. Instruct the LLM to always sanitize and properly quote/escape any user-provided or LLM-generated strings before embedding them into shell commands. For example, use `shlex.quote()` or similar mechanisms if available, or explicitly instruct the LLM to wrap arguments in single quotes and escape any internal single quotes. | Unknown | SKILL.md:137 | |
| HIGH | Potential Command Injection via LLM-generated shell arguments The skill instructs the LLM to construct shell commands by directly embedding user-controlled or LLM-generated values (e.g., `SEARCH_KEYWORDS`, `ACTOR_ID`, `JSON_INPUT`) without explicit sanitization or escaping. If the LLM fails to properly quote or escape these values, an attacker could inject arbitrary shell commands by crafting malicious input that breaks out of the intended string context. Instruct the LLM to always sanitize and properly quote/escape any user-provided or LLM-generated strings before embedding them into shell commands. For example, use `shlex.quote()` or similar mechanisms if available, or explicitly instruct the LLM to wrap arguments in single quotes and escape any internal single quotes. | Unknown | SKILL.md:157 | |
| MEDIUM | Arbitrary File Write via `--output` argument The `run_actor.js` script accepts an `--output` argument which is directly used as a file path for `writeFileSync`. This allows the skill to write to any arbitrary location on the filesystem where the agent has write permissions. An attacker could potentially overwrite sensitive system files, write to unexpected locations, or exfiltrate data by writing it to a publicly accessible directory if the agent runs with elevated privileges or in a misconfigured environment. Restrict the `--output` argument to a designated, sandboxed output directory. Implement path sanitization to prevent directory traversal attacks (e.g., `../`). Consider using a temporary file mechanism if the output is only for immediate consumption. | Unknown | reference/scripts/run_actor.js:19 | |
| LOW | APIFY_TOKEN exposed in URL query parameters The `APIFY_TOKEN` is included directly in the URL query parameters for API calls within `run_actor.js`. While this is a functional way to authenticate with the Apify API, it is generally less secure than using an `Authorization: Bearer` header. Tokens in URLs can be logged by web servers, proxies, and network monitoring tools, increasing the risk of exposure. Modify the `run_actor.js` script to pass the `APIFY_TOKEN` in an `Authorization: Bearer` HTTP header instead of a URL query parameter for all API requests. This aligns with modern security best practices for API authentication. | Unknown | reference/scripts/run_actor.js:102 | |
| INFO | Unpinned dependency for CLI tool installation The skill instructs users to install the `mcpc` CLI tool globally using `npm install -g @apify/mcpc` without specifying a version. This introduces a supply chain risk, as future versions of the package could introduce breaking changes or malicious code. While not a direct vulnerability in the provided code, it's a best practice to pin dependencies. Specify a version for the `mcpc` CLI tool installation (e.g., `npm install -g @apify/mcpc@1.2.3`) to ensure reproducibility and mitigate risks from unexpected changes in future package versions. | Unknown | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/804dacb57743e13f)
Powered by SkillShield