ClawHub

Supply Chain Optimization Tiktok

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TikTok Shop supply-chain calculator, but users should verify its payout assumptions and handle optional API credentials carefully.

Use this as a rough analysis aid, not as authoritative financial advice. Before relying on cash-flow outputs, adjust or verify the payment-cycle assumptions for your actual TikTok Shop payout terms. If you enable the optional TikTok API integration, use revocable least-privilege credentials, avoid pasting real secrets into shared terminals or logs, and verify the GitHub source before running the global npx install command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The cash-cycle calculation claims platform-aware analysis but hard-codes a 14-day Amazon payment cycle for all platforms. In a financial decision-support skill, this can systematically misstate liquidity risk and working-capital needs, causing users to make harmful operational or financial decisions based on inaccurate outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes environment variable examples for TikTok API credentials without any warning about secret handling, storage, rotation, or avoiding commits/logging. In a developer-facing skill, this can normalize unsafe credential practices and increase the chance that users paste live secrets into shell history, shared terminals, screenshots, or source control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal