Back to skill

Security audit

TikTok Carousel Generator

Security checks across malware telemetry and agentic risk

Overview

This TikTok content skill is not clearly malicious, but it asks for and stores account-session cookies in a way users should review carefully.

Install only if you are comfortable giving the skill TikTok account-session access. Treat TikTok cookies like a password, avoid using an important primary account, review or change the hard-coded storage path, and delete any saved cookie file when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill declares sensitive capabilities through metadata requirements and documented behavior, but does not declare permissions despite handling environment secrets and implying local state/cookie persistence. This weakens transparency and consent boundaries, making it easier for an agent or user to invoke functionality with broader access than the manifest communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is content generation, but the analyzed behavior includes TikTok authentication, cookie reuse/storage, and automated posting through browser/web automation. That mismatch is dangerous because users may provide the skill with credentials or run it expecting low-risk generation only, while it can take account actions and persist authenticated session material.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill metadata says it generates TikTok photo carousels, but this script also performs account authentication and posting using persisted session cookies. That capability expansion is security-relevant because it introduces credential handling and account access beyond the described generation-only scope, increasing the chance of hidden or unjustified account automation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script saves TikTok session cookies to a local JSON file for later reuse, effectively storing bearer-style authentication material on disk. If that file is read by another local process, committed accidentally, or exfiltrated, an attacker may be able to hijack the TikTok session without needing the user's password or MFA.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script uses Selenium to restore cookies and automate authenticated interaction with TikTok, which exceeds the advertised content-generation purpose and gives the skill direct account-operating capability. In context, that makes the skill more dangerous because a user expecting content creation may unknowingly run code that logs into and acts on their social media account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The listing advertises auto-posting but does not warn users that the skill may publish content to connected social media accounts. This can lead to unintended posts, reputational damage, or misuse of account permissions, especially because the skill targets social-media workflows where publishing actions have immediate external effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage docs show a posting mode (`--post true`) and require `TIKTOK_COOKIES`, but they do not clearly warn that this can perform authenticated actions on a TikTok account. In this context, omission is security-relevant because the skill is tied to a social media account and session cookies are highly sensitive credentials that can enable unauthorized posting if mishandled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly requires TIKTOK_COOKIES, which are sensitive session credentials, but provides no user-facing disclosure about why they are needed, how they will be used, or the risks of supplying them. For a beginner-friendly content-generation skill, requesting cookies without clear justification increases the chance users will provide high-value authentication material that could enable account access or misuse if the skill or its dependencies mishandle them.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stores arbitrary hook text verbatim in hook_performance.json without any notice, consent, minimization, or retention controls. In this skill context, hook text may contain unpublished marketing copy, proprietary prompts, or user-provided text, so persisting it to disk can create an unnecessary privacy and data-governance exposure if the local machine, repo, backups, or logs are later accessed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
TikTok session cookies are written to disk with no warning that they are sensitive authentication artifacts. In a skill whose stated purpose is content generation rather than account management, this is especially concerning because users may not expect credential material to be created and stored locally at all.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification (+1 more)

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/anyio/to_process.py:241

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/pip/_vendor/pygments/formatters/__init__.py:91

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/pydantic/_internal/_namespace_utils.py:37

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/pydantic/_internal/_typing_extra.py:669

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/pydantic/v1/utils.py:195

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/tqdm/cli.py:38

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.14/site-packages/typing_extensions.py:1485

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/httpx/_client.py:469

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/_client.py:322

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/lib/azure.py:235

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/resources/beta/realtime/sessions.py:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/resources/beta/realtime/transcription_sessions.py:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/types/beta/realtime/session_update_event_param.py:165

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/types/beta/realtime/transcription_session_update_param.py:123

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/openai/types/realtime/realtime_session_create_response.py:420

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_internal/network/auth.py:97

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/requests/adapters.py:257

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/requests/sessions.py:322

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connection.py:423

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connectionpool.py:991

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/_securetransport/low_level.py:231

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/socks.py:102

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/httpx/_config.py:43

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_internal/network/session.py:312

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/truststore/_macos.py:371

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/truststore/_windows.py:458

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/connection.py:454

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py:113

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/contrib/securetransport.py:794

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.14/site-packages/pip/_vendor/urllib3/util/ssl_.py:140

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
venv/lib/python3.14/site-packages/httpx/_decoders.py:335