100Critical
The skill executes unpinned remote code and performs unauthorized network and file operations without declaring necessary security constraints or tool permissions, posing a significant risk of arbitrary code execution.
Skill Info
Nameapify/agent-skills/apify-actor-development
Registrygithub
Version18297b635a8e
PURLpkg:github/apify/agent-skills@18297b635a8e?skill=apify-actor-development
Stars2,164
Installs8,400
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
8,400 installs
Skills.shDocs
npx skills add https://github.com/apify/agent-skillsAssessments (4)
AI Agent Traps ↗Remote code download and execution detectedcriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
Remote code download and execution detected
100% confidenceline 35
curl … | bash
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
100% confidenceline 29
npm install -g
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtimemediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
100% confidenceline 110
npx apify
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "references/actor-json.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[references/actor-json.md](references/actor-json.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "references/actor-readme.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[references/actor-readme.md](references/actor-readme.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "references/input-schema.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[references/input-schema.md](references/input-schema.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "references/logging.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[references/logging.md](references/logging.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "references/standby-mode.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[references/standby-mode.md](references/standby-mode.md)
Missing licenseinfopolicy violation
Skill does not specify a license field. Specifying a license helps users understand usage terms.
100% confidence
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/apify/agent-skills/apify-actor-development)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/apify/agent-skills/apify-actor-development"><img src="https://mondoo.com/ai-agent-security/api/badge/github/apify/agent-skills/apify-actor-development.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/apify/agent-skills/apify-actor-development.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow