Security audit

LarrySkill

Security checks across malware telemetry and agentic risk

Overview

This TikTok marketing skill is mostly coherent, but it combines social posting automation with bot-detection evasion guidance, plaintext secrets, recurring analytics collection, and broad setup authority.

Review carefully before installing. Use environment variables or a secrets manager instead of committing config.json, require explicit approval for installs, posting, cron jobs, and RevenueCat access, and avoid the account-warmup or anti-detection guidance because it may violate platform rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill instructs the agent to verify and install Node.js and other dependencies on the user's machine, expanding from marketing automation into system modification. Even if operationally useful, this broadens the blast radius: an agent following these instructions could alter the host environment, install untrusted packages, or make changes the user did not expect from a marketing skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The markdown includes concrete package-manager and system-level commands (`brew`, `apt-get`, `npm install`) and tells the agent to help troubleshoot installation. This is dangerous because it encourages an application-domain skill to perform privileged host changes, which can be abused or can break systems if executed in the wrong environment.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation text is very broad, triggering on generic marketing or growth discussions rather than a narrowly defined TikTok automation request. Over-broad invocation increases the chance that the skill activates in unrelated contexts and starts soliciting browser access, credentials, or setup actions unnecessarily.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs storing sensitive credentials such as OpenAI API keys, Postiz API keys, and RevenueCat secret keys directly in `tiktok-marketing/config.json`. Persisting secrets in plaintext config files materially increases the risk of accidental disclosure through source control, logs, backups, or later agent/tool access.

Missing User Warnings

Medium

Confidence: 70% confidence
Finding: The documented daily cron job automates recurring collection of analytics and possible RevenueCat conversion data, updates local files, and messages summaries without any explicit consent, opt-in, or retention controls. In an agent skill context, unattended recurring execution and ongoing data collection can create privacy, transparency, and unexpected file-modification risks, especially when conversion/revenue data is involved.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs operators to place a RevenueCat secret API key in config and use it for authenticated API calls, but it provides no guidance on secret handling, storage protections, rotation, or avoiding exposure in source control and logs. In an automation skill that performs marketing and reporting workflows, this omission materially increases the chance of credential leakage and unauthorized access to subscriber and revenue data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The file recommends logging RevenueCat webhook events to a local JSON file that can contain subscriber lifecycle events, product identifiers, timestamps, and revenue data, yet it does not warn about sensitivity, retention, access controls, or redaction. Even if the sample payload is limited, real webhook data often includes customer-linked metadata, so insecure local logging can expose business and subscriber information.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The Replicate flow trusts `prediction.output`/`imageUrl` and performs an unrestricted follow-up fetch, then writes the response bytes directly to disk. If the upstream API response is compromised or a malicious model returns an unexpected URL, this creates an SSRF-style outbound fetch and arbitrary file content write path, with no hostname, scheme, content-type, or size validation.

Ssd 4

Medium

Confidence: 84% confidence
Finding: The skill gives explicit instructions for warming up a TikTok account by mimicking normal human behavior to avoid bot detection and reach throttling. In context, this is guidance for evading platform anti-abuse controls, which can facilitate deceptive automation practices and policy violations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: scripts/check-analytics.js:47