ClawHub

TikHub

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed TikHub connector wrapper with sensitive-account utilities, but no hidden code, persistence, exfiltration, or destructive behavior was found.

Install only if you want Codex to access TikHub through your OOMOL-connected account. Be careful with `get_user_info`, because it may reveal account or API key details, and only approve setup steps such as installing `oo`, logging in, connecting TikHub, or billing recharge when you requested them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The action is described as a read-only fetch of a public Douyin video by share URL, but the documentation warns that it is a write action that changes TikHub state. This mismatch can cause an agent or operator to apply the wrong trust and approval model, potentially triggering unnecessary confirmation flows or, worse, normalizing incorrect action classifications that hide genuinely state-changing behavior elsewhere.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The action is documented as a read-only fetch of public Douyin comment replies, but the file explicitly labels it as a write action that changes TikHub state and instructs the operator to confirm the intended effect before running. This mismatch can mislead agents or users about the action’s safety properties, causing unnecessary friction at best and unsafe handling or policy misclassification at worst if downstream tooling relies on the documentation to determine whether an operation is read-only or mutating.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document presents the action as a read-only fetch of public TikTok comment replies, but later warns that it is a write action that changes TikHub state. This inconsistency can mislead an agent or operator into applying the wrong trust and confirmation model, potentially causing unnecessary approval friction or, worse, normalizing inaccurate safety labels across the skill and leading to unsafe execution decisions elsewhere.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation for a comment-fetching action incorrectly states that it is a write operation that changes TikHub state, even though the action description and behavior indicate a read-only fetch. This can mislead an agent into adding unnecessary confirmation steps, misclassifying the action's risk, or handling it under the wrong trust/safety policy, which weakens reliable security decision-making.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The action is explicitly described as fetching a public TikTok post detail, which is read-oriented, but the documentation warns that it is a write action that changes TikHub state. This mismatch can mislead an agent or operator into applying unnecessary confirmation logic, or worse, normalize inaccurate safety semantics so that truly state-changing actions are not distinguished clearly from read-only ones.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger text says to use this skill for "ANY TikHub request," which is overly broad and can cause the agent to route all TikHub-related tasks through this skill without meaningful scope checks. In context, this increases the chance the agent will follow the skill's operational instructions, including setup and command guidance, even for tasks that may be better handled with narrower permissions or additional user confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The action explicitly retrieves current account and API key information, but the skill text provides no warning that the response may contain sensitive secrets or account-identifying data. In an agent context, this increases the risk of accidental disclosure in logs, chat responses, downstream tool calls, or prompt context, especially because users are encouraged to run the action directly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal