Back to skill

Security audit

clawec-tiktok-product-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward TikTok Shop product-analysis helper that sends user-provided product IDs or links to the documented ClawEC API using a user-supplied API key.

Install only if you intend to use ClawEC for TikTok Shop research. Treat the ClawEC API key like a secret, and expect submitted product IDs or links plus related lookup history to be sent to and processed by ClawEC.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of shell scripts and environment variables and clearly performs external API calls, but it declares no permissions. This creates a capability/permission mismatch that can mislead reviewers and users about what the skill can access, especially secrets in the environment and outbound network usage.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger description includes broad natural-language phrases such as general product analysis and link parsing requests, which can cause the skill to activate in situations the user did not specifically intend. Mis-triggering matters here because activation can lead to third-party data submission and use of credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs users to provide an API key and send product links or IDs to a third-party service, but it does not clearly warn that those identifiers and authentication data will leave the local environment and be processed by ClawEC. This weakens informed consent and can expose commercial research targets, account-linked metadata, or secrets to an external processor.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.