Back to skill

Security audit

Kalodata-TikTok视频搜索与详情

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform its advertised Kalodata/TikTok lookup function, but it uses credentials, external network calls, and default local persistence with several scoping and disclosure concerns users should review.

Review this before installing if the workspace contains sensitive data or shared credentials. Only use it with a trusted gateway configuration, a scoped Kalodata/API key, and an understanding that API responses and metadata may be written locally by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
94% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs use of environment variables for API keys, writes full API responses to local files under the working directory, and calls external network endpoints, yet no explicit permission declaration is present. This creates a transparency and policy-enforcement gap: a host may permit execution without clearly surfacing sensitive capabilities, increasing the risk of unintended credential use, persistent storage of potentially sensitive data, and external data exfiltration paths.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file documents a separate public feedback endpoint that is outside the skill’s stated purpose of TikTok video rank/detail retrieval. In an agent setting, unrelated write-capable APIs can expand the action surface and may cause the agent to submit user-derived content to an external service without clear user intent, creating risks of unintended data exfiltration, scope creep, and abuse.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module documentation promises that data will stay in the current project directory and that writing to /tmp is forbidden, but the implementation silently falls back to the home directory and temporary directory. This mismatch can cause sensitive API responses to be written to unexpected locations, weakening operator assumptions and potentially exposing data to broader access or less controlled storage.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script always persists full API responses, cache contents, and session metadata locally even though the skill is described as a query tool. Persisting all returned data increases exposure of potentially sensitive analytics, identifiers, and usage metadata beyond what is necessary to answer the user request, especially on shared workspaces.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation promises data will be written only under the current working directory and forbids /tmp, but the implementation silently falls back to home or temporary directories. This discrepancy can cause sensitive output to be written to less expected or less protected locations, undermining operator assumptions and making accidental disclosure more likely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to activate on generic TikTok video analytics requests even when the user did not ask for Kalodata or for a paid leaderboard lookup. In context, this is risky because each invocation consumes credits and may cause unnecessary external requests, local data persistence, and use of stored API credentials without clear user intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script transmits SESSION_ID, MODE_ID, and APP_NAME in HTTP headers without any user notice or consent mechanism. While these may seem operational, they are still contextual metadata that can aid tracking, correlation, or data leakage, especially when combined with an overrideable gateway destination.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.