Skip to content

fix: migrate security fixes to actorization skill#31

Merged
vystrcild merged 1 commit intomainfrom
fix/security-actorization
Mar 30, 2026
Merged

fix: migrate security fixes to actorization skill#31
vystrcild merged 1 commit intomainfrom
fix/security-actorization

Conversation

@patrikbraborec
Copy link
Copy Markdown
Collaborator

@patrikbraborec patrikbraborec commented Mar 26, 2026

Summary

  • Migrate security hardening from apify-actor-development to apify-actorization skill (originally applied in commits 7fcaa38 and df2cb1e)
  • Replace curl|bash / irm|iex CLI install patterns with package manager installs
  • Replace apify login -t $APIFY_TOKEN with env var / interactive login to avoid token exposure in shell history
  • Add dedicated Security section covering untrusted content handling, prompt injection prevention, credential isolation, supply-chain checks, and version pinning

Test plan

  • Verify actorization SKILL.md prerequisites match actor-development security patterns
  • Verify new Security section content matches actor-development Security section

🤖 Generated with Claude Code

@patrikbraborec @claude
fix: migrate security fixes to actorization skill
f37dc33 
Apply the same security hardening from actor-development skill: replace
curl|bash install with package managers, secure token handling via env
vars/interactive login, and add Security section covering untrusted
content, prompt injection, supply-chain, and credential isolation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vystrcild vystrcild requested a review from B4nan March 27, 2026 07:05
@B4nan
Copy link
Copy Markdown
Member

B4nan commented Mar 27, 2026

Replace curl|bash / irm|iex CLI install patterns with package manager installs

I don't really understand why you call this a security risk, it's not a random CURL call, it's a call to our own domain with our own script.

Using NPM is fine for Node.js projects, not so much for python or any other language. That's the whole point why we provided the bundled executables that require this approach for installation.

@lukas-bekr
Copy link
Copy Markdown
Contributor

lukas-bekr commented Mar 28, 2026

I don't really understand why you call this a security risk, it's not a random CURL call, it's a call to our own domain with our own script.

It's because of automatic security checks on skills.sh

@vystrcild vystrcild merged commit d146f94 into main Mar 30, 2026
2 checks passed
@vystrcild vystrcild deleted the fix/security-actorization branch March 30, 2026 10:03
@lukas-bekr lukas-bekr mentioned this pull request Mar 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vystrcild vystrcild vystrcild approved these changes

@B4nan B4nan Awaiting requested review from B4nan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@patrikbraborec @B4nan @lukas-bekr @vystrcild @apify-service-account