Tiktok Product Promotion

Security checks across malware telemetry and agentic risk

Overview

This skill is aligned with TikTok product promotion, but it gives an agent direct examples for creating and approving paid campaign actions without enough approval, budget, or data-handling safeguards.

Install only if you intend to let an agent operate a PingHuman account for paid TikTok promotion work. Before any campaign creation, payment approval, bonus, tip, or creator message, require explicit confirmation of the product, creator criteria, deadline, base compensation, commission, maximum total spend, and whether the action is reversible. Use a limited PingHuman token if available, and keep shipping addresses, tracking numbers, and API tokens out of shared logs or long-lived transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The workflow instructs agents to obtain and use a creator's shipping address but provides no privacy notice, minimization guidance, retention limits, or secure handling requirements. This creates a real risk of unnecessary collection, overexposure in message threads or logs, and mishandling of personal data, especially if agents operate autonomously or store transcripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal