ClawHub

TikTok Shop API

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal external API integration, but it sends the user’s API token in URL query strings, which raises avoidable credential-leakage risk.

Review this skill carefully before installing if the token has meaningful account privileges. Prefer a low-scope, revocable token; avoid sharing logs or full request URLs; rotate the token if it may have been exposed. This should remain in Review unless the API supports moving authentication to a header or the skill clearly documents the URL-token risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API authentication token is explicitly defined as a query parameter and later appended to the request URL, which causes the secret to appear in URLs. Query-string secrets are commonly exposed through logs, browser/history tooling, proxy/CDN access logs, monitoring systems, referrer leakage, and error reporting, making accidental credential disclosure much more likely even when HTTPS is used.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Passing an authentication token as a query parameter is risky because query strings are commonly logged by clients, proxies, gateways, and server access logs, increasing the chance of credential exposure. In this skill, the token is required for every request to an external service, so accidental leakage could allow unauthorized API use until the token is rotated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to send an authentication token as a URL query parameter, which is commonly exposed in browser history, server logs, reverse proxies, analytics tooling, and referrer headers. Even when HTTPS is used, placing credentials in the URL increases the chance of accidental credential leakage to third parties or internal logging systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This endpoint also requires an authentication token in the query string and provides no warning that the request sends credentials to an external API. That combination creates unnecessary risk of token disclosure through logs, monitoring systems, copied URLs, and other URL-handling components, especially in agent or automation environments where requests may be recorded.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal