Back to skill

Security audit

Apify Lead Generation

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses a user's Apify account to run lead-generation scrapers and optionally save results locally, with no hidden persistence or unrelated local data access found.

Install this only if you intend to use Apify for scraping-based lead generation. Before each run, confirm the exact actor, target/source, input scope, result limit, cost, and output destination; use a least-privilege APIFY_TOKEN where possible and review platform terms and privacy laws before using scraped contact data for outreach.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires an API token and performs outbound network actions, but it does not clearly declare equivalent permissions in a way that matches its operational capabilities. This weakens reviewability and user consent because a reviewer may not realize the skill can transmit user data externally and use privileged environment-backed access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a lead-generation scraper, but the workflow actually allows running arbitrary Apify actors chosen by ID, fetching remote schemas, and exporting arbitrary actor output locally. That broader behavior materially increases the attack surface because a user or prompt injection could steer the agent into using actors outside the claimed scope, causing unexpected data transmission or risky execution paths.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The documentation states the skill does not access other environment variables, but it relies on shell expansion, PATH-resolved binaries, and runtime environment context beyond APIFY_TOKEN. Even if this does not directly exfiltrate secrets, the claim is overbroad and can create a false sense of isolation during security review.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The documentation states the skill does not access other environment variables, but it relies on shell expansion, PATH-resolved binaries, and runtime environment context beyond APIFY_TOKEN. Even if this does not directly exfiltrate secrets, the claim is overbroad and can create a false sense of isolation during security review.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad enough to match many ordinary business-research or prospecting requests, which can cause the skill to activate unexpectedly and send user-provided data to external scraping services. In context, that increases the chance of unintended data sharing and file creation without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill lacks a clear upfront warning that user inputs are transmitted to Apify services and that scraped results may be written to local CSV/JSON files. This is a meaningful privacy and consent issue because business names, search terms, URLs, and enrichment targets may contain sensitive or proprietary information.

External Transmission

Medium
Category
Data Exfiltration
Content
This skill instructs the agent to select an Apify Actor, fetch its schema (via mcpc), and run scrapers. The included script communicates only with api.apify.com and writes outputs to files under the current working directory; it does not access unrelated system files or other environment variables.

Apify Actors only scrape publicly available data and do not collect private or personally identifiable information beyond what is openly accessible on the target platforms. For additional security assurance, you can check an Actor's permission level by querying `https://api.apify.com/v2/acts/:actorId` — an Actor with `LIMITED_PERMISSIONS` operates in a restricted sandbox, while `FULL_PERMISSIONS` indicates broader system access. For full details, see [Apify's General Terms and Conditions](https://docs.apify.com/legal/general-terms-and-conditions).

## Error Handling
Confidence
89% confidence
Finding
https://api.apify.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.