ClawHub

Brand Protection Tiktok

Security checks across malware telemetry and agentic risk

Overview

This skill is marketed as TikTok Shop brand protection, but the reviewed code and templates are mostly Amazon-focused, which could mislead users into using the wrong enforcement workflow.

Install only if you understand this appears to be an Amazon-style brand-protection draft tool mislabeled as TikTok-focused. Do not rely on its output for TikTok Shop enforcement, and review any complaint or legal template with the correct platform rules and appropriate legal/compliance review before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation is clearly Amazon-focused despite the skill being advertised as a TikTok Shop brand-protection toolkit. This is dangerous because users may rely on the tool for platform-specific enforcement workflows that do not exist, leading to misdirected complaints, missed abuse on the intended platform, and unsafe operational decisions based on false assumptions about coverage.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises influencer misuse detection and TikTok IP reporting, but those features are not implemented in the code. In a security/compliance workflow, overstated capabilities create blind spots because operators may believe monitoring and reporting protections are active when they are not.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims image theft detection, but there is no image theft logic in the file. Because this skill is positioned as a brand-protection tool, missing a claimed detection area can cause users to overlook unauthorized asset reuse and assume evidence collection is already being performed.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements Amazon Brand Registry complaint, cease-and-desist, test-buy, and MAP-enforcement templates, while the skill is ներկայացված as a TikTok Shop brand-protection toolkit. This scope mismatch is dangerous because it can mislead users into taking actions on the wrong platform, submitting incorrect reports, or relying on unsupported enforcement workflows under a false description of the skill’s capabilities.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The cease-and-desist and MAP violation generators extend beyond the manifest’s stated TikTok-focused detection and reporting scope into broader legal and reseller-enforcement actions. In a security context, undisclosed capability expansion matters because users may trust the tool for limited reporting assistance but instead receive legal-enforcement content that could be misused, sent inappropriately, or create compliance and liability issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal