ClawHub

TikTok Packager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local slideshow generator with an optional Postiz upload/draft workflow, and I found no hidden exfiltration, persistence, or destructive behavior.

Use it as local-only by omitting --postiz or adding --no-upload. Before enabling --postiz, review the slides and caption because they will be sent to the configured Postiz API using your account credentials and may create a private/draft social posting artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises executable behavior that reads and writes files and invokes shell commands (`python3`, `node`, script execution), but it does not declare any permissions or capability boundaries. That mismatch is a real security issue because an agent or reviewer cannot accurately assess or constrain what the skill is allowed to do, increasing the risk of unexpected local file access or command execution.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The troubleshooting guide documents an optional Postiz upload and draft-creation workflow, which introduces networked posting behavior beyond the stated skill purpose of generating local slideshow assets and caption text. This scope expansion matters because it can cause operators or downstream agents to use external APIs and social-posting capabilities not clearly declared in the skill metadata, increasing the risk of unintended data exfiltration or unauthorized posting.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file references POSTIZ_API_KEY, TikTok integration IDs, and upload/draft creation failures, clearly indicating external API interaction and posting-adjacent capabilities. In the context of a skill described as generating local assets, undocumented network integration is security-relevant because it expands the trust boundary and could enable unintended outbound communication or content publication.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This function performs a real external side effect by creating a social-media draft using API credentials, while the skill metadata says it generates slideshow assets and caption text. That scope mismatch matters because a caller may reasonably expect local content generation only, but this code can transmit content and create artifacts in a third-party service.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code's behavior exceeds the described purpose by creating remote social-media drafts rather than only generating assets and text. In agent environments, undeclared external actions are security-relevant because they can surprise users, cause unintended publication workflow changes, and leak content to third parties.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module uploads local files to an external Postiz API, which materially expands the skill's behavior beyond local asset generation described in the metadata. Even if intended as workflow automation, silent exfiltration of generated content to a third party creates data-transfer and scope-creep risk, especially when users may expect purely local processing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code retrieves an API key from the environment and uses it for authenticated outbound uploads, enabling the skill to act on an external service account. In the context of a skill advertised for deterministic slideshow generation, this introduces an undeclared privileged integration that could publish or store user content remotely without obvious authorization boundaries.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code uploads generated slide images and caption text to an external Postiz service and creates a draft, which exceeds a purely local asset-generation role. Even though this is gated behind CLI flags, it introduces data egress and third-party action capabilities that can transmit user content off-host without an explicit in-code consent or prominent warning at the point of use.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The main workflow conditionally enables a network-backed social publishing path that is not strictly necessary for deterministic slideshow/caption generation. In an agent skill context, bundling content generation with outbound publishing increases the blast radius from local file creation to external account interaction, making misuse or unexpected uploads more harmful.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents an optional upload path to a third-party service and local persistence of run artifacts, but it does not clearly warn users that generated slides, captions, metadata, and possibly account-linked publishing data may be transmitted off-box and retained. In an agent-skill context, lack of explicit disclosure can cause unintended data exfiltration or privacy/compliance issues when users run the documented workflow with sensitive content.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The troubleshooting instructions include a destructive cleanup command without warning the user about deletion impact or advising verification of the path first. While the specific path shown is narrow, copy-pasted shell cleanup commands can still lead to accidental data loss, especially if modified or run in an automated workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The request sends caption text and media references to an external API, but there is no visible disclosure, consent check, or trust-boundary warning in this file. If captions or media metadata contain sensitive or unpublished content, this can lead to unintended data exposure to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function reads a local file and transmits it over the network without any user-facing notice, approval step, or in-code safeguard indicating external disclosure. This is dangerous because generated assets may contain sensitive or unpublished media, and the skill context suggests offline asset creation rather than remote transfer, making the transmission less expected and more risky.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The upload path sends generated media and caption content to Postiz and persists responses, but there is no user-facing warning in code at the time of transmission explaining that content is being sent to an external service. This is dangerous because users may assume the skill only creates local assets while their generated content and metadata are actually transmitted and stored by a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal