Back to skill

Security audit

Keyapi Tiktok Content Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support TikTok analytics, but it also stores credentials locally and exposes broader remote-tool access than a narrow analytics skill would imply.

Review this before installing. Use it only if you are comfortable granting a KeyAPI token to a skill that may access broader MCP server capabilities than TikTok analysis, and avoid entering high-value tokens unless plaintext .env storage and local cache retention are acceptable in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill presents itself as a TikTok content-analysis workflow, but its documented behavior includes generic MCP tool enumeration, schema inspection, and effectively arbitrary remote tool invocation through scripts/run.js. That broader capability expands the trust boundary significantly: a user may authorize what appears to be a narrow analytics skill while it can discover and invoke other server-exposed operations, increasing the risk of unintended data access or misuse.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The runner is explicitly generic: it accepts arbitrary --platform values and can list schemas and invoke any MCP tool exposed by the remote KeyAPI server, which exceeds the manifest's TikTok-only content-analysis description. This creates a scope-mismatch risk where users may grant trust and credentials for a narrowly described analytics skill, but the code can access broader remote capabilities than advertised.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This code prompts for a token and writes it to a local .env file, and elsewhere writes cached API responses and optional output files to disk. Persistent credential and data storage are behaviors not implied by a pure TikTok-analysis description, increasing the chance of secret exposure or sensitive data retention on shared systems.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically persists the entered KEYAPI_TOKEN to a plaintext .env file in the skill directory. Plaintext secret storage can be exposed through local compromise, accidental commits, backups, or overly permissive file permissions, and it is not necessary to fulfill the stated analytics purpose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs persistent local caching of API responses containing comments, captions, analytics, live-stream details, and related content without any retention limits, access controls, sanitization, or user warning. Even if the source data is public or semi-public, aggregating and storing it locally can create a privacy and compliance risk, especially on shared systems or when the cache is later exfiltrated.

Credential Access

High
Category
Privilege Escalation
Content
// ── MCP client ────────────────────────────────────────────────────────────────

/** Prompt for KEYAPI_TOKEN interactively and persist it to .env */
async function promptToken() {
  if (!process.stdin.isTTY) {
    throw new Error(
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
reject(new Error("No token entered. Set KEYAPI_TOKEN and try again."));
        return;
      }
      const envPath = join(ROOT, ".env");
      writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");
      log(`[token] Saved to ${envPath} — future runs will load it automatically`);
      process.env.KEYAPI_TOKEN = token;
Confidence
97% confidence
Finding
.env"

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.