中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
E-Commerce Price Monitor and Competitive Intel
Monitor product prices across Amazon, eBay, Walmart, AliExpress, Zalando and Google Shopping in real time using Apify scrapers
This is a legitimate e-commerce price monitoring skill that uses Apify APIs for web scraping, with no malicious behavior detected. Minor issues include unpinned dependencies and generic marketing language.
Skill NameE-Commerce Price Monitor and Competitive Intel
Duration25.7s
Enginepi
Safe to install
No immediate action required. Consider pinning npm dependencies to specific versions for reproducible builds.

Findings 3 items

Severity Finding Location
Low
Unpinned npm dependencies Supply Chain
The skill instructs users to run `npm install apify-client axios` without specifying versions. This allows dependency hijacking if a package is typosquatted or a new malicious version is published.
npm install apify-client axios
→ Pin to specific versions: npm install apify-client@latest axios@latest or use a package.json
 SKILL.md:59
Low
Affiliate links in documentation Doc Mismatch
All Apify links contain affiliate tracking parameter ?fpr=dx06p, meaning every user who signs up through these links generates revenue for the skill author. While disclosed, this represents a financial incentive not explicitly flagged as such.
https://www.apify.com?fpr=dx06p
→ Consider adding an explicit disclosure that links contain affiliate codes
 SKILL.md:1
Info
No allowed-tools declaration Priv Escalation
The skill provides no allowed-tools section declaring required permissions (e.g., network:READ, filesystem:READ). While this is a documentation-heavy skill with no implementation scripts, a proper declaration would improve transparency.
(no allowed-tools section)
→ Add an allowed-tools section if this skill will be used with a tool-calling harness
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned Code examples use readFileSync/writeFileSync, scoped to skill data
Network NONE READ ✓ Aligned HTTP calls to Apify API, Anthropic API, and user webhooks are all documented and…
Shell NONE NONE No shell execution found; only npm install and Node.js code examples
Environment NONE READ ✓ Aligned Uses process.env for APIFY_TOKEN, CLAUDE_API_KEY, WEBHOOK_URL — documented and n…
Database NONE NONE No database access
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Skill Invoke NONE NONE No nested skill invocation
6 findings
🔗
Medium External URL 外部 URL
https://www.apify.com?fpr=dx06p
SKILL.md:13
🔗
Medium External URL 外部 URL
https://www.amazon.com/dp/B09G9HD6PD
SKILL.md:105
🔗
Medium External URL 外部 URL
https://www.amazon.com/dp/B08N5WRWNW
SKILL.md:106
🔗
Medium External URL 外部 URL
https://www.amazon.com/dp/B09XS7JWHH
SKILL.md:107
🔗
Medium External URL 外部 URL
https://hooks.slack.com/your-webhook
SKILL.md:281
🔗
Medium External URL 外部 URL
https://console.apify.com/schedules
SKILL.md:462

File Tree

1 files · 17.3 KB · 520 lines
Markdown 1f · 520L
└─ 📝 SKILL.md Markdown 520L · 17.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
apify-client * npm No Version not pinned in SKILL.md
axios * npm No Version not pinned in SKILL.md

Security Positives

✓ No malicious code, obfuscation, or base64 payloads found
✓ No credential harvesting or data exfiltration beyond documented API calls
✓ No shell command execution or remote script fetching
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2 communication, or persistence mechanisms
✓ API calls are all to legitimate, documented third-party services (Apify, Anthropic)
✓ Environment variable usage for credentials is standard practice
✓ File I/O is scoped to local price reports with standard paths