Scrape Substack newsletters and articles. Use when user asks to search Substack, find newsletter posts, extract Substack content, or monitor Substack publica...
Security Analysis
high confidenceThe skill's requests, required binaries, and runtime instructions are consistent with a small wrapper that calls an Apify actor to scrape Substack; nothing requested appears disproportionate to that purpose.
Name/description require scraping Substack via Apify and the skill declares APIFY_TOKEN plus curl and jq. Those requirements logically match the described behavior (invoking an Apify actor via REST).
Instructions are narrowly focused on calling Apify REST endpoints and presenting dataset items. They do not ask the agent to read local files or other credentials. Two operational notes: (1) examples place the APIFY_TOKEN in the query string which can expose the token in shell history, process lists, and logs — using an Authorization header would be preferable; (2) the instructions do not validate or restrict user-supplied URLs (they accept arbitrary URLs), so users could accidentally ask the actor to fetch non-Substack or internal endpoints — this is a behavioral/usage risk rather than an incoherence.
Instruction-only skill with no install spec or external downloads. This is the lowest-risk install model and matches the declared metadata.
Only APIFY_TOKEN is required and it is declared as the primary credential; that is proportionate given the skill invokes Apify's API. As noted above, embedding the token in the URL is less safe than using an Authorization header and you should ensure the token has limited scope and is rotated if compromised.
always is false and the skill does not request persistent or elevated privileges, nor does it modify other skills or system config. Autonomous invocation is permitted (platform default) but not combined with other concerning privileges.
Guidance
This skill appears coherent for invoking an Apify actor to scrape Substack, but consider the following before installing: 1) APIFY_TOKEN is required—treat it like a secret, ensure it has minimal permissions, and rotate if you suspect exposure. 2) The examples put the token in the URL query string which can leak to shell history or logs; prefer sending the token in an Authorization header if you run similar commands locally. 3) The skill will submit user-provided URLs to a third-party actor (actor ID shown). Verify you trust the actor/owner on Apify or inspect the actor's source on Apify before sending sensitive or internal URLs. 4) Be mindful of legal/terms-of-service and privacy considerations when scraping content. If you want stronger guarantees, ask the skill author for an option to use Authorization headers and to restrict/validate input URLs to Substack domains.
Latest Release
v1.0.0
Initial release - scrape Substack newsletters
More by @MarcinDudekDev
Published by @MarcinDudekDev on ClawHub
