TikTok Shop Product Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow TikTok Shop search API wrapper, but it handles the JustOneAPI token in ways that can expose it more than users may expect.

Review this before installing if your JustOneAPI token has meaningful account access or billing impact. Prefer a version that reads the token directly from a protected environment variable or secret channel and avoids putting secrets in URLs where possible; rotate the token if it may have appeared in logs or process listings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill requires the API token to be sent as a query parameter, which is commonly logged by client tooling, proxies, gateways, server access logs, browser/history surfaces, and observability systems. Even though the request uses HTTPS, placing secrets in the URL materially increases accidental credential exposure risk compared with using an Authorization header or request header-based credential transport.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal