ClawHub

TikTok User Published Posts API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for fetching TikTok published-post data, with a real but disclosed credential-handling caveat.

Install only if you are comfortable sending a JustOneAPI token and TikTok secUid to JustOneAPI. Use a limited-scope or disposable token if available, avoid sharing full request URLs or diagnostics, and rotate the token if you suspect it was captured in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires an API token and sends it as a URL query parameter, which is commonly exposed in logs, browser history, proxy telemetry, monitoring systems, and downstream error reporting. Even though the request is sent over HTTPS, placing secrets in the URL materially increases the chance of credential leakage compared with using an Authorization header or request body field designed for secrets.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script sends user-supplied identifiers and credentials to an external third-party endpoint without any runtime disclosure or consent prompt. In a skill context, this reduces transparency and can cause users to unintentionally exfiltrate account-linked data or secrets to an external service they may not realize is being contacted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly requires a sensitive API token in a query parameter but provides no warning about credential handling, external transmission, logging exposure, or storage practices. Query parameters are commonly recorded in logs, proxies, browser history, and analytics systems, so placing secrets there increases the chance of token disclosure and unauthorized API use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal