Back to skill

Security audit

Keyapi Tiktok Ecommerce

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a legitimate KeyAPI market-intelligence helper, but it needs Review because it can persist API credentials and cached business data locally and can redirect authenticated requests to an arbitrary server URL.

Install only if you trust KeyAPI and are comfortable giving this skill a KeyAPI bearer token. Prefer setting KEYAPI_TOKEN only for the session, do not commit the generated .env file, avoid KEYAPI_SERVER_URL unless you fully trust the endpoint, use --no-cache for sensitive research, and periodically delete .keyapi-cache and any output files containing market data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented as a bounded TikTok Shop intelligence workflow, but the documented behavior includes generic MCP tool enumeration, schema inspection, arbitrary tool invocation, multi-platform support, local token persistence, and broad disk writes. That gap expands the trust boundary: a user may authorize or run the skill expecting narrow analytics behavior while it enables broader remote actions and local data handling than advertised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Allowing KEYAPI_SERVER_URL to override the default endpoint lets the script send the bearer token and all tool parameters to an arbitrary remote server. In this skill context, that broadens a TikTok analytics client into a generic authenticated HTTP client and creates a realistic credential-exposure and unintended-data-disclosure path if the environment is manipulated or the skill is repackaged.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs agents to persist full API responses under `.keyapi-cache/` and even rewrite image URLs, but it does not warn that retrieved product, shop, review, creator, and market data will be stored on disk. Local caching can expose sensitive business intelligence or user-request-derived data to other local users, backups, logs, or later processes, especially on shared machines or CI runners.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill requires a bearer token in an environment variable and references command-line usage, but provides no safety guidance about shell history, process exposure, accidental logging, or secure storage. In combination with the described scripting and local persistence behavior, inadequate credential-handling guidance increases the chance the API token is leaked or mishandled.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script prompts for a token and automatically writes it to a local .env file without an explicit upfront warning at the time of entry. This can surprise users into persisting an API credential in plaintext on disk, increasing risk of accidental disclosure via local compromise, backups, or repository commits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.