TikTok Comment Replies API

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but its API token handling can expose the token in URLs or command history.

Install only if you trust the API provider with the token and request data. Prefer running it in a private environment, avoid pasting tokens into chat or logs, and rotate the token if it may have appeared in command history, process listings, or logged URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill accepts the API token via a CLI flag and then injects it into the request as the `token` query parameter, causing the secret to appear in the full URL. Query-string secrets are commonly exposed through shell history, process listings, logs, proxies, monitoring systems, and upstream server access logs, so the token may be disclosed beyond the intended recipient.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal