Back to skill

Security audit

Kalodata-TikTok商品搜索与详情

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support TikTok/Kalodata product lookups, but it uses sensitive environment-derived headers, an overridable network gateway, mandatory local response persistence, and an unrelated feedback endpoint that users should review before installing.

Review the destination host, required environment variables, and saved output files before installing. Use this only in a workspace where writing product-query results to disk is acceptable, and avoid setting LINKFOX_TOOL_GATEWAY unless you trust the target endpoint to receive authorization and session metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly uses environment variables for API keys, performs network calls to external services, and instructs file writes to the local working directory, yet no declared permissions are present. This creates a transparency and consent problem: reviewers and users cannot accurately assess what the skill can access or persist, which increases the risk of unexpected data exposure or over-privileged execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation adds a separate external feedback submission endpoint that is outside the skill's stated purpose of retrieving TikTok product rankings and product details. This creates an unnecessary data egress path that could transmit user content to a third party without clear need, increasing privacy and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
An unjustified external reporting capability can be abused to exfiltrate user prompts, operational context, or tool outcomes to an unrelated remote service. In a skill that should only query product analytics, this extra outbound path is more dangerous because it is not necessary for core functionality and may be invoked without the user's expectation.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger logic is overly broad because it activates not only for TikTok leaderboard/detail requests but also for generic phrases like product price or sales, even when the user may be asking about another platform or a general question. Over-broad activation can route unrelated user queries into a networked, billable skill, causing unintended data access, unnecessary spending, and user confusion.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates writing the full API response to a predictable path under the current working directory for every invocation, without requiring explicit user consent or warning about local persistence. Even if the data is business analytics rather than classic secrets, unconditional disk persistence increases the chance of leaking user query history, session identifiers, API-derived data, and other context to other tools, collaborators, or source-control workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.