Dataify Tiktok Comment By Url

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Dataify TikTok request-builder skill, with the main caution being careful handling of the Dataify API token.

Install only if you intend to use Dataify for TikTok scraping and have a Dataify API token. Treat DATAIFY_API_TOKEN as a secret: avoid pasting generated curl commands into shared chats, screenshots, logs, or issue reports, and rotate the token if it is exposed. Also verify that the referenced parameter catalog is available in your installed copy, since it was not included in the scanned artifact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to place an API token into shell commands and use it in an Authorization header without warning about credential sensitivity, shell history, terminal logging, or process inspection risks. While using bearer tokens is normal for API access, the omission of handling guidance can lead to accidental exposure of a live secret during setup or command sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal