Tiktok Bulk Publisher

Security checks across malware telemetry and agentic risk

Overview

This TikTok publishing skill has a clear purpose, but it asks for sensitive OAuth credentials and enables bulk or scheduled posting without enough review safeguards or included code.

Review before installing. Only use it with a dedicated TikTok app credential, confirm the exact OAuth scopes and token storage behavior, inspect the missing publisher script before running it, and require a dry run or manual approval before any bulk or scheduled publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill handles highly sensitive OAuth client credentials and performs potentially irreversible actions such as uploading and publishing user videos, yet the documentation provides no warning about secret handling, account scope, consent, or publication risk. In an automation context, this increases the chance that users expose secrets in insecure configs/logs or unintentionally publish content with the wrong privacy settings.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal