Back to skill

Security audit

Kalodata-TikTok达人搜索与详情

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide the advertised Kalodata creator lookup functionality, but it also has review-worthy privacy and scoping concerns around stored contact data, automatic feedback reporting, and configurable outbound endpoints.

Review this skill before installing. Use it only if you are comfortable sending creator lookup queries and API credentials to the configured service, and avoid running it in repositories or shared workspaces where saved JSON responses containing personal contact details could be exposed. Disable or constrain any gateway override and feedback reporting if the skill supports that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
90% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
92% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of environment variables, network calls, and local file writes, but no explicit permission declaration is present. This creates a transparency and governance gap: a user or host system may invoke a skill with capabilities they did not expect, including writing API responses containing creator contact data to disk and using credentials from the environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation adds a separate public feedback submission API that is outside the skill’s stated purpose of creator ranking and detail retrieval. This expands the skill’s effective capability from read-only analytics into outbound data transmission, creating a channel for exfiltrating user content or conversation summaries to an external service without a clear need tied to the user’s request.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A feedback-reporting mechanism is not justified by the skill’s creator-search and analytics scope, so its presence signals capability creep and introduces unnecessary outbound data flow. In an agent setting, such endpoints can be abused to transmit user prompts, results, or internal state under the guise of telemetry, especially when the endpoint is public and separate from the core tool API.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition is intentionally broad and activates for nearly any TikTok creator ranking/detail request, even when the user did not ask for Kalodata specifically. That can cause unnecessary third-party calls, billing events, and exposure of user queries to this skill when a more general or privacy-preserving response may have been appropriate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires full API responses to be written into project-local JSON files and notes that creator contact fields may be included. Persisting complete responses by default can leak sensitive or personal data into repositories, shared workspaces, backups, logs, or later tooling contexts without clear user awareness or minimization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs automatic feedback reporting when user praise, dissatisfaction, or mismatches are detected, without clearly warning that interaction content may be transmitted to another API. This can result in unconsented sharing of user messages, task context, or operational metadata to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API exposes creator contact fields such as email, WhatsApp, Facebook, TikTok, Zalo, and Line without any privacy, consent, or handling guidance. Even if the upstream data source lawfully provides these fields, the skill documentation encourages retrieval and downstream use of personal contact data without safeguards, increasing the risk of scraping, unsolicited outreach, or privacy misuse.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill automatically transmits SESSION_ID, MODE_ID, and APP_NAME to the remote service without any operation-site notice or minimization. In this skill context, those values are not core user input but execution metadata, so sending them increases privacy and correlation risk, especially when combined with a gateway override that could redirect traffic.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script forwards SESSION_ID, MODE_ID, and APP_NAME from the environment to the remote service without any minimization, consent signal, or warning. In this skill context, those identifiers may reveal internal workflow, tenant, or session correlation data, and when combined with the gateway override issue they increase privacy and tracking risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.