Back to skill

Security audit

Kalodata-TikTok直播搜索与详情

Security checks across malware telemetry and agentic risk

Overview

The skill’s main analytics function is understandable, but its artifacts show under-scoped network, persistence, and external-install behavior that users should review before installing.

Install only if you are comfortable with this skill making authenticated external API calls, storing complete API responses locally, and relying on environment-provided gateway/auth settings. Review and constrain the gateway URL, avoid sending sensitive prompts through any feedback feature, and treat any external skill-install instruction as requiring separate manual review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill uses environment variables, network access, and persistent file writes, yet no permissions are explicitly declared. This creates a transparency and governance gap: the agent may perform sensitive operations users and policy systems cannot accurately review or constrain. In this context, the undeclared file-write and network behavior matter because the skill also persists full API responses and may invoke external onboarding or feedback flows.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to download and install another skill from an external URL during error handling, which is unrelated to the core livestream analytics function. This expands trust boundaries at runtime and can lead to unreviewed code or instructions being introduced into the environment, creating a supply-chain and arbitrary capability escalation risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill adds a feedback-reporting API capability that is outside its stated purpose of retrieving livestream rankings and details. That creates an unnecessary outbound data path which may transmit user prompts, dissatisfaction, or task context to another endpoint without clear minimization or consent, increasing data leakage and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation introduces a separate external feedback API that is unrelated to the stated livestream ranking/detail functionality, creating a side-channel for transmitting data outside the primary tool flow. In an agent setting, this can cause unintended exfiltration of user prompts, outcomes, or identifiers to a third-party endpoint if an implementation blindly follows all documented APIs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill persistently stores full API responses and session metadata on disk even though its stated purpose is a query/search skill. Livestream analytics responses may contain sensitive business data, and writing them plus session identifiers to local storage broadens exposure to later users, other tools, or unintended collection from the workspace.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The docstring explicitly says writing to /tmp is forbidden and that failure to write the current directory should raise an error, but the actual implementation falls back to the home directory and then the temp directory. This mismatch can silently place collected API data and session metadata into less controlled locations, defeating operator expectations and increasing accidental disclosure risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to activate on generic TikTok livestream ranking/detail requests even when the user did not ask for Kalodata or this specific integration. Overbroad activation can cause unintended network calls and paid API usage, exposing user queries to third parties and increasing the chance of inappropriate tool execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates writing full API responses to persistent local files, but does not require a user-facing warning or consent for this data persistence. Even if the API is business-focused, responses can contain identifiers, session-correlated artifacts, or sensitive commercial data, and silent persistence increases exposure through later access, backup, or cross-task reuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The feedback API example instructs sending free-form `content` to an external public endpoint but provides no privacy warning, consent requirement, or restriction on including user data. This increases the risk that sensitive user requests, generated outputs, or operational details are forwarded to a third party without authorization or minimization.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs persistent logging of complete API responses into session-scoped directories under the working directory, which increases the risk of data leakage across tasks, users, or repository contexts. Because the logs are tied to session structure and stored outside an isolated temp area, they may be indexed, committed, or accessed by other tools, making the persistence behavior more dangerous in agentic development environments.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.