TikTok Crawling (yt-dlp)

Security checks across malware telemetry and agentic risk

Overview

The skill is aligned with TikTok scraping, but it tells agents to use browser login cookies without enough warning or scoping.

Install only if you are comfortable letting the skill use your logged-in browser session for TikTok. Prefer running it without browser cookies when possible, use a separate low-privilege browser profile if authentication is needed, and delete any exported cookie files or downloaded sensitive content afterward.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to extract authenticated browser cookies and use them with yt-dlp without clearly warning that these cookies are sensitive session credentials. Reusing browser cookies can expose account sessions, expand access to private or restricted content, and normalize handling of credentials in insecure ways.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal