Back to skill

Security audit

crawling

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward TikTok scraping guide, but users need to handle browser cookies and any exported TikTok data carefully.

Install only if you are comfortable using yt-dlp for TikTok scraping. Use cookies only from accounts you control, treat cookie files as secrets, avoid committing or sharing them, review any cron job before enabling it, and do not send scraped data to the optional external API unless you understand what will be transmitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill recommends sending scraped/exported content to an external SkillBoss API even though the core skill is local TikTok retrieval and analysis. This creates an unnecessary data egress path and could expose scraped metadata or derived datasets to a third party without clear user consent or data handling boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation recommends using browser cookies and cookie files to access private or restricted content without warning about the sensitivity of browser session material. Browser cookies can grant authenticated access and may expose personal accounts or sensitive session state if mishandled, especially in shared or automated environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill suggests remote AI-powered analysis without warning that scraped/exported TikTok data may be sent to an external service. That omission can mislead users into disclosing collected data off-platform, creating privacy, compliance, and confidentiality risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.