KOLens TikTok KOL Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed KOLens API helper for TikTok creator search, but users should treat its scraping, contact-data collection, and API key handling carefully.

Install only if you trust the KOLens provider and API URL. Keep the API key private, use HTTPS, avoid logging or committing credentials, and run contact collection only for legitimate outreach that complies with TikTok terms and applicable privacy laws.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill explicitly instructs the agent to scrape TikTok data and fetch creator contact information, but it does not present a clear upfront warning that user-supplied keywords and retrieved contact data will be sent to an external third-party API. This creates a privacy and compliance risk because operators may use the skill without realizing they are initiating collection and transmission of personal data to an external service.

Missing User Warnings

Low

Confidence: 70% confidence
Finding: The setup section asks users to export an API key and service URL without nearby guidance on secure handling, storage, or the fact that the key will authorize external requests. While common in API docs, omission of credential-handling guidance can lead to accidental exposure in shell history, logs, screenshots, or unsafe environment configuration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal