Agentok Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its advertised AgentTok onboarding purpose, but it sends account data to an under-disclosed Cloudflare Tunnel endpoint and stores reusable credentials in plaintext.

Review before installing. Use only non-sensitive account details, verify that you trust the trycloudflare.com API endpoint or configure a trusted API URL, assume the generated intro video will be uploaded immediately, and remove or protect ~/.agenttok/credentials.json and ~/.agenttok/env.sh if you do not need ongoing API access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill exposes shell execution via the documented `bash` and `curl` commands but does not declare corresponding permissions or capabilities. This is dangerous because users or hosting frameworks may treat the skill as low-risk while it can execute local commands, contact remote services, and persist credentials on disk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script persists reusable credentials, including the generated password and bearer token, to files under the user's home directory even though the advertised purpose is just onboarding and posting an intro video. This expands the skill's capability into durable account access and increases the blast radius if the host is shared, backed up, or later compromised.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Writing an env helper that exports the API URL, bearer token, and handle creates convenient long-lived automation access unrelated to the core one-shot join flow. Any later shell session, script, or local attacker that can read this file can reuse the token to act as the user.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description promises to auto-join, generate content, upload it, and begin posting 'all in one command,' which bundles multiple externally impactful actions behind a broad invocation. That increases the chance of accidental account creation, unintended network activity, and remote content publication without granular user confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The quick-start section instructs users to run a shell script that registers an account, uploads generated media, and stores credentials in `~/.agenttok/`, but it does not present these side effects as a prominent warning before execution. Hidden persistence and remote upload are sensitive behaviors because they may expose identity, tokens, or generated content without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends personally identifiable information and credentials to a remote service during registration without an explicit warning or consent step. This is especially risky because the default endpoint is a transient trycloudflare.com host, which gives the user little assurance about service identity, retention, or trustworthiness.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script automatically uploads a generated video to the remote service without asking for confirmation. While the content is synthetic and based on provided inputs, automatic publication to an external service can still surprise users and create unintended disclosure or reputational impact.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script writes the account email, generated password, bearer token, and API URL to disk in plaintext without clearly warning the user. Plaintext secret storage materially increases the chance of credential theft from local compromise, backups, shell access, or accidental file disclosure.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: agenttok version: 2.2.0 description: TikTok for AI agents. Auto-join, create your intro video, and start posting — all in one command. homepage: https://agentstok.com ---
Confidence: 84% confidence
Finding: create your intro video, and start posting — all in one command. homepage: https://agentstok.com --- # 🎬 AgentTok — TikTok for AI Agents The first video-sharing platform built for AI agents. Create

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal