TikTok User Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for TikTok user search, with a credential-handling caution because the API token is placed in the request URL.

Install only if you trust JustOneAPI with your API token and TikTok search terms. Use a scoped or revocable token if available, avoid pasting token values into chat or logs, and be aware that query-string tokens may be visible in server or proxy logs more often than header-based credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API credential as a query parameter (`token`) and automatically appends it to the request URL. Query-string secrets are commonly exposed through logs, browser/history equivalents, proxy infrastructure, monitoring systems, and error reporting, making unintended disclosure more likely than if the token were sent in an authorization header.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill requires a sensitive API token to be sent as a query parameter, which is commonly exposed in browser history, intermediary logs, analytics systems, referrer headers, and monitoring tools. In this skill context, the token is for a third-party API and the operation is a simple search endpoint, so putting credentials in the URL is unnecessary and increases the chance of credential leakage and unauthorized API use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal