Back to skill

Security audit

Linkfox Tiktok选品与带货视频

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for TikTok product research and shoppable-video publishing, but it gives agents high-impact TikTok account, token, posting, and storage capabilities with some under-scoped safeguards.

Install only if you trust LinkFox with your TikTok creator authorization and API key, and use it in a workspace where saved response files will not be committed or shared. Before publishing, manually verify the target TikTok account, video file, product ID, caption, and region; avoid setting LINKFOX_TOOL_GATEWAY except to the official trusted gateway; and delete local linkfox output files when they contain account, token-adjacent, media, or business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Tainted flow: 'req' from os.environ.get (line 42, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
89% confidence
Finding
with urlopen(req, timeout=60) as response:

Tainted flow: 'req' from os.environ.get (line 42, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=60) as response:

Tainted flow: 'req' from os.environ.get (line 41, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=60) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
92% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
94% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
93% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 42, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
90% confidence
Finding
with urlopen(req, timeout=60) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents capabilities to read environment variables, perform network calls, invoke Python scripts, and write files, but it does not declare permissions or present any explicit consent boundary for those sensitive operations. In an agent ecosystem, that gap can cause the host or user to underestimate what the skill can do, especially since it handles API keys, token retrieval, local file output, and live-platform actions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document gives contradictory guidance about whether large-file init/bind calls can traverse the proxy. An agent following the wrong section may attempt unsupported upload flows, mis-handle errors, or route requests incorrectly, causing failed operations and potentially bypassing intended gateway restrictions if implementation drifts from docs.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The API inventory explicitly marks `large_file_upload_init` and `large_file_upload_bind` as proxy-supported, while the detailed section says those steps are not proxied. This inconsistency can cause agents or operators to invoke nonexistent or disallowed paths, leading to broken upload workflows and confusion around trust boundaries.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The whitelist description allows only `affiliate_creator`, `video`, and `creator`, yet the endpoint table includes `file/202505/init` and `file/202505/bind` as valid proxied APIs. This mismatch weakens operator understanding of enforced boundaries and can result in accidental exposure assumptions or incorrect client behavior around sensitive upload endpoints.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script accesses stored TikTok access and refresh tokens, which is substantially more sensitive than ordinary product-selection or video analytics functionality described in the skill metadata. Even though the output masks the tokens before printing, the operation itself expands the skill's privileges into credential retrieval and creates an unnecessary pathway for secret access.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Labeling the module as an account 'tokens query' without clearly emphasizing that it reads stored credential material can mislead reviewers and users about the sensitivity of the action. That understatement increases the chance of unsafe approval, overbroad deployment, or accidental invocation of a credential-accessing capability in a context where such access is unexpected.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation promises that writes outside the current directory are forbidden, but _linkfox_root() explicitly falls back to ~/linkfox and the system temp directory. In an agent context, this can bypass user expectations and cause data to be persisted in unintended locations, increasing the chance of sensitive API responses being stored where other processes or users may access them.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring claims output is restricted to the current working directory and forbids /tmp writes, but the implementation falls back to ~/linkfox and the system temp directory. This mismatch can cause sensitive API responses to be written to less expected, less controlled locations, undermining user assumptions and potentially exposing data through broader filesystem access or temp-directory monitoring.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation promises that writes to /tmp are forbidden and that non-writable current directories should cause an error, but the implementation silently falls back to ~/linkfox and finally $TMPDIR/linkfox. This discrepancy can cause sensitive API responses to be persisted in locations the operator did not expect, including temporary directories that may have weaker isolation or retention guarantees.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module documentation explicitly says writing to /tmp is forbidden, but _linkfox_root falls back to tempfile.gettempdir(), which commonly maps to /tmp. This contradiction weakens operator expectations and can place potentially sensitive API responses in a less controlled location, increasing the chance of unintended disclosure on shared systems.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The file-level documentation explicitly says writing to /tmp is forbidden, but _linkfox_root() falls back to the system temp directory. This mismatch can cause operators to rely on a stronger data-handling guarantee than the code actually provides, increasing the chance that API responses are persisted in less trusted or more broadly accessible temporary storage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes a TikTok video download capability, including no-watermark download URLs, without any warning about copyright, platform terms, or privacy implications. That omission can facilitate unauthorized copying or redistribution of creator content, especially because the feature is presented as a normal supported workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes a full shoppable-video publishing chain against official TikTok APIs, but it does not clearly warn that execution can publish content to a live creator account. Because it also handles OAuth, token retrieval, product linking, precheck, and publish steps, a user or calling agent could trigger real-world account actions without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs clients to upload video chunks directly to a returned external `upload_url` that includes query parameters, but it does not warn that this bypasses the LinkFox gateway and sends potentially sensitive media and tokenized URL data to a third-party file gateway. In this skill context, users may assume all traffic remains within the trusted proxy path, so the missing disclosure and handling guidance increases the risk of accidental token leakage, logging exposure, or unintended transmission of creator content to external infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs automatic persistence of full API responses to a predictable project-local path and says this happens 'always', without requiring explicit user consent or warning about local storage of potentially sensitive business data. In an agent/tooling context, this increases the risk of unintended retention, later exfiltration via unrelated prompts/tools, or accidental inclusion in source control and shared workspaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates writing full API responses to a predictable project-local path that includes session-associated organization and usage metadata, but it does not warn about retention, access control, or cleanup. In shared workspaces, checked-in directories, or multi-user environments, this can expose account-linked artifacts, media URLs, and cost/usage details to unintended readers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.