Is Apify MCP server safe?
@apify/actors-mcp-server is an AI mcp_server analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 9 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 70/100 (high).
@apify/actors-mcp-server 0.11.4
- Sensitive-data access combined with network egress
- Node.js shell/command execution
- Possible command injection (exec with dynamic command)
No malicious indicators found by static analysis.
Findings (9)
The component both reads secret locations (keys, tokens) and can send data over the network.
apiKey: 'e977…[redacted, 32 chars]',
apiKey: '2676…[redacted, 32 chars]',
apiKey: '8784…[redacted, 32 chars]',
async fetch(input: Request | URL | string, init?: RequestInit) {return fetch(input, { ...init, headers });const response = await fetch(url, {Why it matters: That combination is the classic path for quietly stealing credentials off your machine.
Fix: Verify that secrets read from disk are never transmitted off-host without explicit, auditable user consent.
The code builds an OS command out of values that can change at runtime, then runs it through a shell.
const versionString = execSync(`pnpm view ${PACKAGE_NAME} versions --json`, { encoding: 'utf8' });Why it matters: If any of those values come from untrusted input, an attacker can run their own commands on the machine.
Fix: Use execFile/spawn with an argument array instead of exec; never build a shell command string from external input.
An MCP server entry launches a command on your host.
"command": "node",
"command": "node",
Why it matters: Trusting the manifest means running that binary — verify what it is and where it comes from.
Fix: Verify the launched command and its source before trusting this MCP server configuration.
A hardcoded credential (API key, token, or private key) is shipped in the code.
apiKey: 'e977…[redacted, 32 chars]',
apiKey: '2676…[redacted, 32 chars]',
apiKey: '8784…[redacted, 32 chars]',
Why it matters: Anyone who gets the package gets the secret — rotate it and load secrets at runtime instead.
Fix: Remove the secret from the code, rotate it immediately, and load credentials from the environment or a secrets manager at runtime.
The component can run operating-system commands or spawn processes.
import { execSync } from 'node:child_process';const versionString = execSync(`pnpm view ${PACKAGE_NAME} versions --json`, { encoding: 'utf8' });import { spawn } from 'node:child_process';const child = spawn(cmd, args, {Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.
Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.
The component reads files from disk.
const widgetJs = fs.readFileSync(widget.jsPath, 'utf-8');
const cssContent = await fs.readFile(args.path, 'utf8');
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
await fs.rm(distPath, { recursive: true, force: true });Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
async fetch(input: Request | URL | string, init?: RequestInit) {return fetch(input, { ...init, headers });const response = await fetch(url, {const response = await fetch(mdUrl);
// instead of blocking on the HTTP fetch (the SDK does not accept an AbortSignal directly).
* The axios response interceptor stores the header value here so it can be
return (apifyClient as unknown as { httpClient?: { axios?: AxiosInstanceLike } }).httpClient?.axios;* Registers an axios response error interceptor on the ApifyClient's internal
* on errors, so we reach into the internal axios instance.
log.warning('[x402] Failed to access apify-client axios internals — payment header capture disabled');// eslint-disable-next-line @typescript-eslint/promise-function-async -- axios interceptors must return a rejected promise, not throw
* 1. The captured `payment-required` response header (via axios interceptor)
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
"mcpServers": {"tools": {this.server = new Server(getServerInfo(), {Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →