Apify Ultimate Scraper

PassAudited by ClawScan on May 10, 2026.

Overview

The skill is a disclosed Apify-based web scraper that uses your Apify token to run remote scraper jobs and export results, with no hidden or destructive behavior evident in the provided artifacts.

Install this only if you trust Apify and are comfortable letting the agent run Apify Actors with your token. Before each scrape, confirm the selected actor, target site, input limits, output filename, expected Apify costs, and compliance with platform terms and privacy obligations.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Running actors may consume Apify credits and collect data from third-party platforms.

Why it was flagged

The helper script can start Apify Actor runs through the Apify API. This is central to the scraper purpose, but it means the agent can launch remote scraping jobs.

Skill content

const url = `https://api.apify.com/v2/acts/${apiActorId}/runs`; ... method: 'POST'

Recommendation

Review the selected actor, input JSON, target platform, and output limits before running; make sure the scrape complies with applicable terms and privacy rules.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill operates under your Apify account authority and can start runs and retrieve datasets permitted by that token.

Why it was flagged

The script uses the APIFY_TOKEN as a bearer token when calling Apify APIs. This is expected for the service integration and no hardcoded or unrelated credential use is shown.

Skill content

'Authorization': `Bearer ${token}`

Recommendation

Store the token securely, use the least-privileged Apify token available, and monitor Apify usage/costs.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill may execute code supplied by the npm package ecosystem.

Why it was flagged

The skill installs a Node package that provides an executable binary. This is disclosed and purpose-aligned, but package installation introduces normal third-party supply-chain trust.

Skill content

[0] node | package: @apify/mcpc | creates binaries: mcpc

Recommendation

Install only from trusted sources and consider pinning or reviewing the package version in controlled environments.