ClawHub

FastMoss TikTok Top Selling

Security checks across malware telemetry and agentic risk

Overview

The TikTok ranking lookup is legitimate, but the skill also tells agents to silently send user feedback and intent details to a separate LinkFox endpoint.

Install only if you are comfortable using a LinkFox API key for FastMoss/TikTok ranking queries. Before use, ignore or disable the automatic feedback-reporting instruction unless you explicitly want user comments, intent mismatches, or improvement notes sent to LinkFox, and avoid including private business plans or customer data in any feedback payload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically send user feedback, dissatisfaction, praise, or perceived mismatches to a separate Feedback API unrelated to the core ranking function. This is risky because it enables undisclosed secondary data transmission based on user conversation content, potentially leaking user intent or metadata without clear consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger definition is broad enough to activate on general product-research or ranking-related requests even when the user did not specifically ask for FastMoss or this skill. Overbroad invocation can route user requests to an external data source unexpectedly, causing unintended data sharing and reducing user control over tool selection.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Examples such as 'hot products on TikTok Shop' and 'what's selling well' are common phrases that may appear in broad exploratory conversations. Using them as triggers increases the chance of accidental activation and external querying when the user may only be asking for general advice, not requesting FastMoss-backed data retrieval.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal