spy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly scrapes public Instagram accounts via Apify (Step 2 "Scrape via Apify" using apify/instagram-scraper) and downloads/transcribes videos and reads on-screen text and captions (Step 4), meaning it ingests untrusted user-generated content from Instagram and uses that content to drive analysis and template generation—creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs users at setup/runtime to run git clone https://github.com/tenfoldmarc/spy-skill (and to install an MCP via "claude mcp add apify -- npx -y @anthropic-ai/apify-mcp-server"), which fetches and installs remote code that the agent relies on to run and which can therefore directly control/alter agent behavior.