Back to skill

Security audit

TikTok Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed TikTok research helper that uses Gecho's MCP and Chrome extension, with the main caution that searches use a logged-in browser session and may save result files locally.

Install only if you are comfortable using Gecho Bridge and the Gecho Chrome extension with a logged-in TikTok session. Treat saved JSON result files as potentially sensitive research data, choose a save directory deliberately when possible, and delete retained result files when you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that full raw TikTok result sets are saved to a local JSON file, but it does not give a prominent privacy/storage warning before normal use. Because the collected metadata may include sensitive research terms, account-linked browsing output, or business intelligence, silent disk persistence can expose users to unintended local data retention and leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.