Tiktok Trend Challenger

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill matches its stated purpose, but it can create and approve paid public TikTok creator campaigns without clearly requiring user confirmation or scoped credentials.

Install only if you want an agent to help manage paid PingHuman/TikTok creator campaigns. Use a narrowly scoped API token, require explicit approval for every task creation, approval, tip, or bulk campaign, and set budget/deadline limits before allowing the agent to act.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to install the skill by modifying a local agent skills file and then use authenticated API calls, but it does not clearly warn that this changes local agent behavior or that bearer tokens and campaign/task data will be transmitted to a third-party service. This creates a real security/privacy risk because an agent or user may follow the instructions without understanding the system impact or external data exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal