ClawHub

tiktok-downloader

Security checks across malware telemetry and agentic risk

Overview

This TikTok downloader does what it says, but it needs review because it automatically uses a local Chromium browser session without clear consent or tight URL scoping.

Install only if you are comfortable with the skill using a local Chromium profile that may be logged in. Prefer a dedicated browser profile or exported cookie file, verify each URL is a TikTok URL, choose an explicit output folder, and make sure yt-dlp is installed from a trusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs use of browser-derived cookies from a local browser data directory to authenticate TikTok downloads, but does not warn the user that this leverages an authenticated browser session and may access account-scoped content. That omission increases the chance of unintended use of sensitive session material and can lead users to perform actions with privacy, policy, or account-security implications they do not understand.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The batch-download guidance encourages saving large amounts of third-party content locally but does not warn about disk usage, handling of downloaded external files, or the legal/privacy implications of bulk collection. While not directly exploitative by itself, the lack of disclosure can lead to unsafe operator behavior, accidental storage exhaustion, or inappropriate retention of external content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically reads cookies from the local Chromium browser profile and sends them as part of a network request to TikTok via yt-dlp, without any explicit user consent, warning, or scope limitation. Browser cookies may include authenticated session tokens, so this behavior can expose credential-sensitive data and cause the tool to act with the user's logged-in identity unexpectedly.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal