TikTok Video Downloader

Security checks across malware telemetry and agentic risk

Overview

This TikTok downloader mostly does what it advertises, but its privacy and payment claims do not match the code closely enough for automatic trust.

Review before installing. Use it only if you are comfortable sending TikTok URLs to savefbs.com. Do not use the embedded crypto payment link unless the publisher provides a verifiable payment and unlock process. Expect a small local quota-tracking file to be written in your OpenClaw skills directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The skill explicitly claims it does not collect, store, or transmit user data, yet later states that TikTok video URLs are processed server-side by savefbs.com. Sending a user-supplied URL to a third-party service is data transmission, so this privacy/security notice is materially misleading and can cause users or agents to share data without informed consent.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script advertises payment integration and 'unlimited downloads' after payment, but it only enforces a local JSON-based quota and never verifies or processes payment. This is dangerous because users may be misled into sending funds to the configured wallet without receiving any enforceable entitlement, and local state can be trivially modified to bypass the limit.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill does not adequately warn users that their TikTok URLs will be sent to savefbs.com, a third-party service, for processing. In this context, the missing disclosure is significant because the skill is designed to forward user-provided content externally, and the surrounding 'safe and transparent' language may further reduce user caution.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The skill presents contradictory statements: it says no user data is transmitted while also saying URLs are processed server-side. This misleading policy language undermines informed consent and trust, and because the skill directly interacts with an external service, the inconsistency creates real privacy and compliance risk rather than being a harmless documentation issue.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The provided TikTok URL is sent to savefbs.com, a third-party service, without any explicit disclosure or consent mechanism in the script output or interface. This creates a privacy and data-sharing risk because user-supplied content, metadata, and potentially identifying request information are transmitted off-device unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal