ClawHub

TikTok全球数据采集

Security checks across malware telemetry and agentic risk

Overview

This TikTok skill is mostly a data-query assistant, but it also exposes sensitive cookie use, client-emulation tools, account-interaction claims, and possible engagement manipulation that need review before installation.

Install only if you trust MaxHub/aconfig.cn with the MaxHub API key and any TikTok cookies you provide. Avoid using primary-account cookies, review platform terms, and do not allow endpoints involving view boosting, signature/fingerprint generation, device registration, likes, follows, or comments to run without explicit user approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (162)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Lines L126-L133 state that all endpoints are legitimate read-only data analysis APIs and that the skill performs read-only queries only. Elsewhere, the same file documents non-read-only capabilities such as `open_*_app_to_*` interaction triggers (L102-L107) and endpoints like `fetch_post_comment` and `fetch_post_comment_reply` in the endpoint list (L178), which go beyond pure read-only querying.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The manifest description emphasizes data querying and tooling for TikTok data modules. However, the documented endpoint inventory includes capabilities such as `generate_xbogus`, `generate_fingerprint`, `device_register`, `fetch_tiktok_web_guest_cookie`, `encrypt_strData`, `decrypt_strData`, and even `fetch_post_comment`/`fetch_post_comment_reply` (L178, L184), which materially expand beyond a normal data-query assistant into protocol and account-interaction functions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
A TikTok data assistant would reasonably query remote APIs, but endpoint groups like `register_device`, `generate_*`, `encrypt_*`, `decrypt_*`, and `fetch_guest_cookie` are specialized protocol-emulation utilities rather than ordinary analytics functions. Even though the file attempts to justify them as compatibility tools, they remain capabilities that are substantially more invasive than standard data retrieval for the stated assistant role.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description emphasizes TikTok data querying across content, ads, creators, and ecommerce modules. However, `generate_x_mssdk_info` is documented as generating `X-Mssdk-Info` and `X-Mssdk-RC` specifically for device registration and login scenarios, which goes beyond ordinary data retrieval/tooling and enters authentication-enablement behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Generating anti-abuse or platform-specific login/device-registration headers is a specialized capability distinct from querying user, video, ads, creator, or ecommerce data. Given the manifest's stated purpose, this capability appears context-inappropriate because it facilitates account access flows rather than information lookup or analytics.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest frames the skill as a TikTok data query and tooling assistant, which implies retrieval, search, analytics, creator, and commerce tooling. However, this file documents endpoints to increase a video's play count and to trigger user-facing interaction flows such as private messaging, going beyond query/helper behavior into engagement manipulation and interactive action generation.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest says the skill covers video details, user data, search, ads, creator tools, e-commerce, and some interaction/protocol tools. But this file documents extensive request-signing, fingerprint, token, device registration, and anti-bot related utilities such as msToken, web_id, xbogus, xgnarly, and browser fingerprint generation, which materially expand the behavior beyond ordinary data-query tooling.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
An endpoint described as '根据视频ID来增加作品的播放数' directly supports manipulation of engagement metrics rather than analysis, lookup, or creator tooling. That capability is not a necessary or obvious implementation detail of querying TikTok data and is context-inappropriate for the stated assistant purpose.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Endpoints for generating fingerprints, msToken, ttwid, web_id, xbogus, xgnarly, and combined signatures are specialized capabilities for emulating clients and constructing signed requests. While some protocol handling may be expected, the breadth here—especially language about defeating controls and generating realistic fingerprints—extends beyond what a normal data assistant needs.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
For `fetch_post_comment`, the warning claims the endpoint can publish comments and is a write operation, yet the endpoint name, method, parameters, and description all describe retrieving comment lists. This is an active contradiction in the documentation that could mislead auditors or downstream users about the endpoint's actual intent and risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
For `fetch_post_comment_reply`, the warning states the endpoint can publish comment replies, but the endpoint name, GET method, inputs, and detailed description all indicate it fetches reply lists. This contradiction obscures the true intent and may cause incorrect trust assumptions about whether the endpoint is read-only or mutating.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header text presents this as a legitimate protocol/authentication helper equivalent to standard signing, but the body explicitly says it is a '完美还原算法' that ignores '除验证码外的一切风控'. That language directly conflicts with the claimed compliant/standard-auth framing and signals an intent to bypass platform protections rather than merely interoperate.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README lists invocation examples as short generic terms such as "视频", "搜索", "分析", "点赞", and "关注" without defining when they should or should not activate the skill. These broad everyday phrases lack scope constraints or negative examples, increasing the chance of unintended invocation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises actions like "like, follow, post_comment, reply_comment, collect, forward," which can perform account-affecting or externally visible operations. However, the documentation does not provide any warning about account actions, side effects, confirmation expectations, or the need for user authorization before performing them.

Vague Triggers

Medium
Confidence
95% confidence
Finding
README 在“使用示例”中仅给出非常简短且高频的词语作为示例指令,如“视频”“用户”“搜索”“分析”“点赞”“关注”等。这些词缺少上下文约束、明确触发边界或排除条件,容易与普通对话中的常见词汇重叠,从而造成技能被意外调用。

Missing User Warnings

Medium
Confidence
90% confidence
Finding
README 明确列出 like、follow、post_comment、reply_comment、collect、forward 等会对外部平台账号状态或内容产生变更的操作,但文档未提供任何用户警示、确认说明或风险提示。这类行为会影响用户数据、隐私或账户完整性,按照规则应在 markdown 描述中给出清晰提醒。

Vague Triggers

Medium
Confidence
89% confidence
Finding
This markdown file includes invocation/routing logic, so SQP-1 applies. The instruction "If uncertain, default to Video & Content" is an ambiguous activation rule because it does not define clear boundaries for when the skill should refuse or ask for clarification, which could cause broad everyday TikTok-related requests to be routed into this skill unintentionally.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger tables include generic terms such as "info", "query", "basic", "search", "find", "show me", and "analyze" without strong contextual constraints. In a markdown skill description, such broad phrases can collide with normal conversation and make it unclear when this skill should activate versus when a general assistant response is appropriate.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Although the markdown includes general cookie safety guidance, it also states that some endpoints require a user session cookie for personalized data. For markdown files, SQP-2 applies when behaviors affecting privacy are insufficiently warned; here the doc does not instruct the agent to present a fresh, explicit warning and obtain user acknowledgment before invoking cookie-based flows.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
SQP-3 applies to all file types and covers language/locale policy issues. The requirement that "ALL output matches user's detected language" imposes an automatic language choice based on detection, without giving the user a language preference option or opt-in, which can violate organizational language-choice policies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This is a markdown file, so SQP-2 applies to omissions in the skill description. The document states that requests use a Bearer API key and later requires a user Cookie for authentication, but it does not include any warning about the sensitivity of these credentials, safe storage/handling, or the privacy implications of transmitting them to the API.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown explicitly instructs use of a user Cookie string for identity authentication and optionally a proxy, which can affect user privacy and account security. There is no accompanying warning that this may expose session-authentication material, should be used only for the user's own account, and may route data through third-party infrastructure when a proxy is used.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
This markdown file includes natural-language API guidance that defaults requests to a specific language and region (`en-US`, `US`) without clarifying that these are only examples or that users may choose their own locale. Under the language/locale policy rule, fixed locale defaults in user-facing documentation can be a policy concern when no opt-in or justification is provided.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The parameter description states `ad_language` defaults to `en`, which imposes a specific language in the skill documentation without mentioning user choice or a justified regional constraint. This is a natural-language locale-policy issue because it can steer behavior toward English by default rather than honoring user preference.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
The title and much of the descriptive content are primarily presented in Chinese, with only partial bilingual support. For a general-purpose API reference, this can create a de facto language constraint if the skill expects users or downstream agents to operate in Chinese without explicitly offering a language choice.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal