apify-link-prospecting-outreach

No strong indicators of intentional malware (no backdoor/persistence/exfil to unrelated domains, no dynamic code execution, no system modification beyond writing requested artifacts). The dominant security weakness is credential handling: APIFY_TOKEN is sent in a URL query string, which can leak via logs/proxies/referrers. Additional concerns include silent error suppression and using untrusted log-derived identifiers to drive further API requests, plus writing output to a user-influenced filesystem location (overwrites possible within the user’s permissions). Overall: low malware likelihood, moderate operational security risk.

The skill is broadly coherent with its stated SEO prospecting purpose, and its credentials and outbound endpoints are mostly proportionate. The main concerns are install trust for local script dependencies, reliance on a hosted third-party actor/sub-actor chain, and processing large volumes of untrusted web content while generating send-ready outreach. Overall this looks suspicious-by-risk rather than malicious.