tiktok-scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward TikTok data lookup helper that uses CreatorCrawl with the user's API key and does not include hidden code or destructive behavior.

Install only if you are comfortable using CreatorCrawl for TikTok research under your API key. Avoid sending secrets or sensitive proprietary research targets, and ask the agent to confirm before broad comment, follower, following, transcript, or repeated lookup requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation text is broad enough to cause the skill to activate for generic 'social media research' requests, even when TikTok-specific live API access is unnecessary. That increases the chance of unnecessary external data transmission and overuse of a third-party tool, which can expose user queries and expand the skill's effective data-access surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises external API use but does not warn that user-supplied handles, URLs, keywords, comments, or transcript requests may be sent to CreatorCrawl. Without a clear disclosure, users may unknowingly provide sensitive or proprietary research targets that are transmitted to a third party, creating privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal