tikhub-api-skill

Security checks across malware telemetry and agentic risk

Overview

This is a real TikHub API helper, but it exposes under-disclosed login, account-action, disposable email, metric-manipulation, and unsafe token-handling capabilities.

Review before installing. Use it only if you trust the publisher and TikHub, replace the hardcoded token with a properly scoped secret, restrict requests to TikHub domains, and avoid the login, cookie/proxy, interaction, temporary-email, and view-count endpoints unless you explicitly intend those high-risk workflows and they comply with applicable platform rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The client explicitly allows any path beginning with 'http' to bypass the configured TikHub base URL, so a caller can direct requests to arbitrary external hosts. Because the client automatically attaches the Authorization bearer token to every request, this can leak the TikHub API credential to attacker-controlled infrastructure and turn the skill into a general outbound HTTP proxy beyond its stated purpose.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API includes endpoints explicitly designed to artificially increase video play/view counts, which directly contradicts a data-query helper’s purpose. These endpoints facilitate platform manipulation and fraudulent metric inflation, making the skill substantially more dangerous than its metadata suggests.

Context-Inappropriate Capability

Critical

Confidence: 96% confidence
Finding: SSO/QR login helpers and login-request encryption/decryption functions materially expand this skill into authentication automation and credential-handling territory. In a social-media data helper, those capabilities increase credential exposure risk, enable account takeover-adjacent workflows, and are unnecessary for ordinary search usage.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: SSO/QR login helpers and login-request encryption/decryption functions materially expand this skill into authentication automation and credential-handling territory. In a social-media data helper, those capabilities increase credential exposure risk, enable account takeover-adjacent workflows, and are unnecessary for ordinary search usage.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: SSO/QR login helpers and login-request encryption/decryption functions materially expand this skill into authentication automation and credential-handling territory. In a social-media data helper, those capabilities increase credential exposure risk, enable account takeover-adjacent workflows, and are unnecessary for ordinary search usage.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: The API includes endpoints explicitly designed to artificially increase video play/view counts, which directly contradicts a data-query helper’s purpose. These endpoints facilitate platform manipulation and fraudulent metric inflation, making the skill substantially more dangerous than its metadata suggests.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: The API includes endpoints explicitly designed to artificially increase video play/view counts, which directly contradicts a data-query helper’s purpose. These endpoints facilitate platform manipulation and fraudulent metric inflation, making the skill substantially more dangerous than its metadata suggests.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: SSO/QR login helpers and login-request encryption/decryption functions materially expand this skill into authentication automation and credential-handling territory. In a social-media data helper, those capabilities increase credential exposure risk, enable account takeover-adjacent workflows, and are unnecessary for ordinary search usage.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation text is very broad ('use when user asks ... needs to fetch data from social media platforms'), which can cause the skill to trigger for many loosely related requests. In a skill that performs authenticated network calls, overbroad activation increases the chance of unnecessary data access, privacy issues, or accidental invocation in contexts where the user did not intend external API use.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The quick-start instructions tell the agent to search, call APIs, and return results from social-media platforms without any privacy, consent, or data-minimization guidance. Because these APIs can retrieve profile, post, and comment data, the lack of safeguards makes it easier to collect or expose personal or platform-derived data without clear user awareness or necessity.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The authentication section explicitly states that a default token is used for development and suggests modifying an embedded DEFAULT_TOKEN in the client. Hardcoded or embedded credentials are a serious secret-management flaw: they are easily leaked, reused unintentionally, and can grant unauthorized access to paid or sensitive API resources.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Once a full URL is accepted, user-supplied path, query parameters, and POST bodies can be transmitted to any destination without warning or validation. In this skill context, that is more dangerous because the tool is presented as a TikHub-specific social-media data helper, so users and upstream agents may reasonably assume data only goes to TikHub when it can actually be exfiltrated to arbitrary third parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Listing CAPTCHA bypass and temp-mail capabilities without strong compliance and account-safety warnings normalizes abuse-oriented workflows and conceals their operational risk. Given the skill’s benign-sounding description, that omission makes accidental misuse more likely and increases overall danger.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Listing CAPTCHA bypass and temp-mail capabilities without strong compliance and account-safety warnings normalizes abuse-oriented workflows and conceals their operational risk. Given the skill’s benign-sounding description, that omission makes accidental misuse more likely and increases overall danger.

Ssd 2

Medium

Confidence: 93% confidence
Finding: The temporary email feature is presented in a way that supports disposable-account workflows rather than legitimate read-only data access. This is dangerous because it lowers the cost of account cycling and undermines platform anti-abuse controls when combined with the skill’s other automation features.

Ssd 2

High

Confidence: 93% confidence
Finding: The temporary email feature is presented in a way that supports disposable-account workflows rather than legitimate read-only data access. This is dangerous because it lowers the cost of account cycling and undermines platform anti-abuse controls when combined with the skill’s other automation features.

Ssd 2

High

Confidence: 93% confidence
Finding: The temporary email feature is presented in a way that supports disposable-account workflows rather than legitimate read-only data access. This is dangerous because it lowers the cost of account cycling and undermines platform anti-abuse controls when combined with the skill’s other automation features.

Ssd 2

Medium

Confidence: 93% confidence
Finding: The temporary email feature is presented in a way that supports disposable-account workflows rather than legitimate read-only data access. This is dangerous because it lowers the cost of account cycling and undermines platform anti-abuse controls when combined with the skill’s other automation features.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal