Apify TikTok Comment Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Apify-based TikTok comment scraper, with expected third-party API use and no local executable code.

Install/use this only if you are comfortable sending TikTok URLs and scraped comment/profile metadata to Apify and the named third-party actor. Keep APIFY_API_TOKEN in a secret store, review the actor’s pricing and trustworthiness, avoid adding sensitive context to requests, and clean up Apify datasets when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill sends user-supplied TikTok URLs and receives comment data through the external Apify service, but it does not clearly warn the user that their request content is being transmitted to a third party. This creates a transparency and data-handling risk, especially if users provide sensitive or non-public contextual information alongside the URLs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal