Back to skill

Security audit

Tiktok Shop Search

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its TikTok Shop scraping purpose, but it also gives guidance for stealth browsers, proxies, CAPTCHA handling, and multi-session collection that users should review carefully.

Install only if you are comfortable with an agent collecting TikTok Shop listing data through browser automation. Avoid using the stealth browser, proxy, multi-session, or CAPTCHA-related guidance unless you have confirmed it complies with TikTok Shop rules and applicable law. Review the local memory file behavior if you do not want operational notes written in your working directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly recommends using stealth browsers and country-matched dynamic proxies to access region-restricted TikTok Shop content. That moves the skill beyond simple on-page extraction into guidance for evading geographic and anti-bot controls, which can facilitate unauthorized scraping and policy circumvention.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation text is broad enough to trigger on generic market-research and dropshipping scenarios rather than narrowly on explicit TikTok Shop search requests. Overbroad invocation increases the chance the agent runs a scraping-oriented skill in contexts where the user did not specifically request this capability, expanding data collection and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to read from and append to a local memory file without explicit user notice or consent. Unannounced filesystem writes create integrity and privacy risks, especially if execution context or stored notes contain sensitive operational details.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.