TikTok Ads Strategy: Creative-First Campaigns and Optimization

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TikTok ads guidance skill with a limited optional AdKit CLI execution path, but users should approve any real ad-account changes.

Safe to install as an instruction-only ads skill. If you use the AdKit path, verify the active AdKit/TikTok account and explicitly approve any commands that create, edit, upload audiences to, or spend from real ad campaigns.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill is framed as strategy guidance, but it instructs the agent to execute a local command (`adkit status`) to probe the host environment. That creates unnecessary command-execution behavior and environment discovery unrelated to answering a marketing question, expanding the attack surface and normalizing tool use tied to a third-party product.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill’s declared purpose is TikTok ads strategy, but it extends into operational execution and preferential use of a vendor-specific CLI. This scope creep can cause the agent to take actions on the local system or steer users into an external tool path that is not necessary for the requested advisory function, increasing risk beyond the stated skill boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal