Security audit

TikTok API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TikTok API helper that makes user-directed JustOneAPI lookup requests and shows no hidden or destructive behavior.

Install only if you are comfortable using a JustOneAPI token for TikTok lookups. Treat the token as sensitive, avoid sharing logs or screenshots that include request URLs, and use the returned profile, comment, reply, and search data only for authorized, policy-compliant analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The API security token is defined and transmitted as a query parameter, which is routinely exposed in URLs, logs, browser history, proxies, monitoring systems, and referrer-like telemetry. Even though the base URL uses HTTPS, placing secrets in the query string increases accidental credential leakage risk across infrastructure and debugging surfaces.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documented endpoints use a security token and expose access to user profiles, posts, comments, and replies, yet the skill provides no privacy, consent, retention, or disclosure guidance. In a social-media analytics context, this increases the risk of collecting or processing personal data without appropriate user awareness, policy controls, or safe handling of secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal