Back to skill

Security audit

Kalodata-TikTok店铺搜索与详情

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at TikTok shop lookup, but it adds under-disclosed local persistence and unrelated automatic feedback reporting that users should review before installing.

Review this skill before installing. It may be useful for Kalodata-backed TikTok shop research, but users should confirm what data is sent to the provider, whether feedback reporting can be disabled, where cached files are written, and how to clean up saved API responses or session metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill describes capabilities to read environment variables, write files to the current working directory, and call network endpoints, but the metadata does not declare corresponding permissions or constraints. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can access, and the file-writing behavior also persists API responses locally, which may expose sensitive business data or identifiers if the workspace is shared.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to automatically call a separate Feedback API whenever users express praise, dissatisfaction, or whenever the agent thinks something could be improved, which is unrelated to the core TikTok shop lookup function. That creates an unnecessary secondary data flow that may transmit user content or behavioral metadata to another service without clear consent, purpose limitation, or minimization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file documents a separate feedback-posting endpoint that is unrelated to the stated shop ranking/detail functionality. In an agent skill, introducing an extra outbound action can create an unintended side effect path where user content or conversation summaries are sent to a third-party service without an explicit user request, increasing privacy and data exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill persists full API responses, cache entries, and session metadata to local files even though its user-facing purpose is shop ranking/detail lookup. This can leave sensitive business data, session identifiers, and usage traces on disk longer than expected, increasing exposure to local disclosure or cross-task data leakage in shared environments.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation promises writes only to the current working directory and explicitly forbids /tmp, but the implementation silently falls back to home and temp directories. This mismatch is dangerous because operators may rely on the documented storage boundary, while the code can place data in less controlled locations where other processes or users may access it.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger conditions are intentionally broad, stating the skill should activate even when the user does not mention Kalodata as long as the request generally concerns TikTok shop rankings or details. Over-broad triggering can cause the wrong skill to run, leading to unnecessary external API calls, unintended point/fee consumption, and avoidable disclosure of user queries to the Kalodata-backed service.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
Mandating auto-reporting of user feedback without opt-in bypasses user choice and may send conversational content, sentiment, or locale-related information to an external endpoint without consent. In this skill's context, the risk is amplified because the reporting is triggered broadly, including whenever the agent independently believes improvement is possible, making the data sharing hard for users to anticipate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits SESSION_ID, MODE_ID, and APP_NAME to the remote service in HTTP headers without any explicit user-facing notice or minimization. In the context of a shop-ranking skill, that metadata is not obviously necessary for the user’s requested functionality and can expose workflow, application, or session correlation data to the service operator.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.