Security audit

TikTok Post Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI helper for fetching TikTok post details, with a credential-handling caveat but no hidden or unrelated behavior found.

Install only if you trust JustOneAPI and are comfortable sending your JUST_ONE_API_TOKEN to api.justoneapi.com as a URL query parameter. Avoid sharing logs, screenshots, terminal output, or error reports that might include request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends the API access token in the URL query string (`token`), which is commonly exposed through logs, browser/history tooling, reverse proxies, monitoring systems, and error reporting. Even though the request uses HTTPS, query parameters are still more likely to be retained or disclosed than headers, making credential leakage materially more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal