Back to skill

Security audit

TikTok Shop Product Details API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow TikTok Shop product lookup skill, with credential-handling caveats but no evidence of hidden, destructive, persistent, or unrelated behavior.

Install only if you trust JustOneAPI with the product IDs you query and with your API token. Prefer a scoped or rotatable token, avoid running it on shared machines with command logging, and explicitly provide region when you do not want the US default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires the API authentication token as a query parameter and then appends all query parameters directly into the request URL. Tokens in URLs are commonly exposed through logs, browser/history tooling, proxy and CDN logs, monitoring systems, and error reporting, making credential leakage more likely than if the token were sent in an Authorization header. In this skill context, the risk is real because the code is a generic API wrapper and gives no warning that the secret will be placed in the URL.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Defaulting the region to US without explicit user choice can cause requests to be sent to the wrong market context, producing incorrect or unintended data retrieval. While this is not a severe security flaw in this read-only product-details skill, it can create privacy, compliance, or business-logic issues if users assume the region reflects their own locale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:43