Apify Bluesky Scraper

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use Apify to perform Bluesky search or monitoring, which fits its stated purpose, but users should understand that their search terms are sent to a third-party service.

Install only if you are comfortable using Apify for Bluesky searches. Treat search terms and returned metadata as data shared with Apify, avoid entering sensitive private topics unless necessary, and configure the Apify token only for the access needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The skill description is broad enough to match common user requests like searching or monitoring Bluesky, which increases the chance the skill is invoked in situations where the user did not clearly consent to sending query data to Apify. In this context the skill performs authenticated third-party network calls, so over-broad routing meaningfully increases the risk of unintended external data disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow instructs the agent to make authenticated requests to Apify using user-supplied search terms, but it does not include a clear user-facing warning that those terms and resulting metadata will be transmitted to an external service. This creates a real privacy and consent issue, especially because the skill is framed as a general search utility rather than as a third-party data-sharing action.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal