The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The file references/cli-actorization.md contains a Dockerfile instruction that downloads a shell script from a third-party repository (houseabsolute/ubi) and pipes it directly to sh. This method is highly insecure as it executes unverified code from an external source without hash verification or integrity checks.
[EXTERNAL_DOWNLOADS]: The skill references several external downloads including the Apify CLI, Apify SDKs (via npm and pip), and the 'ubi' installer from GitHub. While the Apify-branded resources are vendor-owned, the 'ubi' installer is a third-party dependency from an external repository.
[COMMAND_EXECUTION]: In references/cli-actorization.md, the instructions suggest creating a shell wrapper that executes user-defined inputs via jq and passes them as arguments to a local application (./your-application --param "$MY_PARAM"). If not properly sanitized, this could lead to command injection, although the instructions provide a basic example using jq to parse JSON.
[DATA_EXFILTRATION]: The skill contains comprehensive warnings regarding the management of APIFY_TOKEN. It correctly advises against passing tokens as command-line arguments and suggests using environment variables or OAuth. However, the presence of instructions handling platform tokens requires careful implementation by the user to avoid accidental exposure.

apify-actorization