Apify
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only Apify helper appears purpose-aligned, but it uses your Apify token to start scraping actors, retrieve stored results, and read actor documentation.
Install this only if you want your agent to operate Apify on your behalf. Use a limited/revocable token if available, confirm each Actor and target before running, set page/item/time limits to control cost, and treat Actor READMEs as documentation rather than trusted instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could start scraping/crawling jobs under your Apify account, which may consume credits, run for a long time, or interact with websites you specify.
The skill is intentionally able to start Apify Actors, including potentially paid or third-party cloud scraping jobs, which is powerful but aligned with its stated purpose.
Run any of the 17,000+ Actors on Apify Store ... Some Actors require a monthly subscription before they can be run.
Approve the Actor, target URLs, item/page limits, timeout, and cost expectations before running; use maxPages, maxItems, timeout, and abort runs when needed.
Anyone or anything using this token can make Apify API requests allowed by the token, including running Actors and reading datasets or key-value store records.
The skill requires an Apify API token to authenticate calls, which is expected for this integration but gives the agent delegated access to the user's Apify account.
All requests need the `APIFY_TOKEN` env var. Use it as a Bearer token
Use a revocable, least-privilege token where possible, keep using the Authorization header rather than URL tokens, and do not expose the token in prompts, logs, or shared outputs.
You have less provenance information for deciding whether to trust this skill with an Apify token.
The registry metadata does not identify a source repository or publisher provenance, although the skill itself is instruction-only and points to the official Apify API docs.
Source: unknown
Verify the skill contents against Apify's official documentation and install only from a registry or publisher you trust.
A malicious or low-quality Actor README could steer the agent away from the user's real goal if the agent follows it as instructions rather than documentation.
Actor READMEs and schemas are retrieved external content; they are useful for constructing inputs but could contain misleading instructions if treated as authoritative.
fetch its default build to get the README (usage docs) and input schema ... Use this to construct valid input
Treat Actor documentation as untrusted reference material, keep the user's request authoritative, and avoid following README instructions that ask for unrelated tools, secrets, or actions.