ClawHub

TikTok Post Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrowly scoped TikTok search connector for JustOneAPI, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI with your search terms and API token. Keep the token in an environment variable, avoid sharing command lines or logs that may include request URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API credential as a required query parameter (`token`) and automatically injects it into the request URL. Query-string secrets are commonly exposed through logs, proxies, browser/history tooling, monitoring systems, and upstream infrastructure, so the token may be disclosed even when TLS is used. In this skill context, the risk is real because the code always places the token in the URL for every call and provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly sends both user-provided search keywords and a sensitive API token to a third-party service, but provides no user-facing disclosure that their query data will leave the platform. This creates a meaningful privacy and consent risk, especially because user-entered search terms may contain sensitive business, personal, or investigative queries, and the external transmission is not surfaced in the skill description.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal