ClawHub

Keyapi Tiktok Shop Creator Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible TikTok Shop analytics helper, but it also includes a broad MCP runner that can call more than the advertised creator-discovery tools and stores tokens/results locally.

Review before installing. Use it only if you are comfortable with a generic KeyAPI MCP client, not just a fixed TikTok Shop workflow. Prefer setting KEYAPI_TOKEN in your shell instead of entering it at the prompt, keep .env out of source control, clear .keyapi-cache before sharing the workspace, and verify KEYAPI_SERVER_URL is not set to an untrusted host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as narrowly scoped TikTok Shop creator analysis, but its instructions include generic MCP behaviors such as listing all available tools, dynamically retrieving schemas, and invoking tools by name through a general runner. That broader capability can expand the effective attack surface and may enable use of unintended server-side tools beyond the advertised purpose, which is risky in an agent setting where trust is based on the description.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script is materially broader than the advertised TikTok Shop creator-discovery skill: it can connect to arbitrary platform paths and invoke any MCP tool exposed by the remote KeyAPI server. That scope expansion increases attack surface and enables unintended data access or actions if a user assumes this skill is limited to creator discovery.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Exposing tool enumeration and schema inspection gives users a discovery mechanism for all capabilities available on the backend, not just the intended creator-discovery workflow. In a least-privilege skill, this can reveal undocumented endpoints and make misuse easier even if it does not by itself compromise the host.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Reading and using a local .env for API credentials is not inherently malicious, but in this skill it expands the trust boundary and introduces credential-handling behavior unrelated to end-user creator analysis. Combined with automatic persistence elsewhere in the script, it increases the risk of accidental token exposure through local files or repository inclusion.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Allowing arbitrary output paths and local caching creates file-write behavior beyond the core creator-discovery purpose. If the script is run in sensitive environments, this can lead to unintended persistence of API results or overwriting files chosen by the caller.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to persist creator profiles, sales metrics, audience demographics, and trend data into a local `.keyapi-cache/` directory without any explicit warning, consent flow, retention policy, or safeguards. Local caching of potentially sensitive commercial and demographic data increases privacy and data-handling risk, especially on shared systems or long-lived agent environments where the cache may be readable by other users or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script interactively collects an API token and writes it to .env automatically without an explicit consent prompt, permission hardening, or warning about persistent local storage. This can cause users to unknowingly leave credentials on disk where they may be exposed to other local users, backups, or accidental commits.

Credential Access

High
Category
Privilege Escalation
Content
reject(new Error("No token entered. Set KEYAPI_TOKEN and try again."));
        return;
      }
      const envPath = join(ROOT, ".env");
      writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");
      log(`[token] Saved to ${envPath} — future runs will load it automatically`);
      process.env.KEYAPI_TOKEN = token;
Confidence
78% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal