ClawHub

TikTok API

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a coherent agntdata TikTok API helper; it needs an API key and sends requested TikTok lookups to agntdata, but I found no hidden code or harmful behavior.

Install only if you trust agntdata with the TikTok usernames, video IDs, search terms, use-case text, and API key needed for your requests. Store the key in an environment variable or secrets manager, monitor credit usage, avoid sending confidential research terms unless appropriate, and review the separate @agntdata/openclaw-tiktok plugin independently before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill’s authentication guidance is internally inconsistent: it states every request must use an Authorization Bearer token, but the example later uses an X-API-Key header. Inconsistent auth documentation can cause agents or users to send credentials incorrectly, leading to failed calls, unsafe workaround behavior, and accidental credential exposure during troubleshooting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs authenticated use of a third-party API and encourages sending usernames, video IDs, search queries, and use-case text to an external service without any privacy, data handling, or consent warning. In agent environments, this can silently transmit user-supplied identifiers or sensitive investigative queries off-platform, creating privacy, compliance, and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal