Back to skill

Security audit

maxhub-tiktok

Security checks across malware telemetry and agentic risk

Overview

This TikTok data skill is broadly documented, but it mixes a claimed read-only scope with sensitive session-cookie, signing, device-registration, and at least one write-capable endpoint.

Review before installing. Use only a separate MaxHub API key and test TikTok accounts, avoid providing real browser session cookies or login-related inputs, and do not allow agents to invoke write, cookie, device-registration, or signing endpoints automatically. Public read-only lookups are the lowest-risk use case; creator/account analytics and crypto/tool endpoints require careful consent and handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (44)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README advertises crypto/signing, device registration, and cookie-related utilities that go beyond the stated read-only TikTok data-querying purpose. In this context, those capabilities can enable request forgery, session bootstrapping, or access-pattern emulation, which materially expands the skill’s power beyond passive retrieval and increases abuse risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Signing utilities, guest-cookie generation, and device-registration functions are highly sensitive because they can be used to simulate clients, bypass normal access controls, or automate access to protected platform surfaces. For a read-only TikTok assistant, this is context-inappropriate and makes the skill substantially more dangerous by facilitating covert or policy-evading data collection workflows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README advertises crypto/signing, device registration, and visitor-cookie utilities that go beyond a read-only TikTok data query skill. These capabilities can enable request forgery, session bootstrapping, or anti-abuse evasion, materially expanding the skill’s effective power and making misuse easier even if framed as tooling.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The README claims access to account health, violation records, earnings overviews, and creator analytics despite the skill metadata stating it should not be used for account operations. This mismatch can mislead users and agents into invoking functions that touch sensitive creator/account data, undermining least-privilege expectations and increasing privacy/compliance risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a read-only TikTok data query tool, but it also advertises device registration and visitor cookie generation utilities. Those capabilities can establish session-like state or support impersonation/anti-bot evasion workflows, which materially expands the security and compliance risk beyond passive data retrieval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Crypto/signing, fingerprinting, msToken/ttwid/XBogus-style utilities, and anti-bot adjacent tooling are not necessary for a generic analytics/query skill and can be repurposed to bypass platform protections or automate prohibited collection. In context, these features create a dual-use capability set that is much riskier than ordinary API querying.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation claims the skill is read-only and excludes account operations, yet later includes device registration and visitor-cookie tooling that are account/session-oriented in practice. This contradiction can mislead reviewers and downstream agents into approving or invoking higher-risk operations under a low-risk label.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this is a read-only TikTok query skill and explicitly says not to use it for posting content or account operations, yet the index exposes write-capable, non-idempotent atoms such as play-count manipulation and account-affecting creator endpoints. This mismatch can cause an agent or operator to trust the skill under false assumptions and invoke actions that change engagement or account state.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented atom `open_app_message` is marked high-risk, non-idempotent, and write-capable, which directly contradicts the skill's claim that it is not for account operations. Even if framed as opening an app screen, it can initiate private messaging flows and create side effects inconsistent with a supposedly read-only skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The entire creator section is labeled high-risk, non-idempotent, and write_op=✓, yet it is bundled into a skill advertised as read-only query functionality. That creates a broad trust-boundary failure: agents may access account-affecting creator analytics/account endpoints under a harmless-looking package name and description.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tools section includes crypto, signature generation, cookie retrieval, and device registration utilities that exceed the stated purpose of a simple TikTok data-query skill. These primitives can be repurposed to impersonate clients, bypass access controls, or support unauthorized automation workflows if exposed to a general-purpose agent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file documents creator/shop analytics endpoints that require authenticated session cookies and access account-scoped data, which exceeds the manifest’s stated read-only public TikTok query use cases. This broadens the skill from public data retrieval into sensitive account analytics access, creating a data-scope mismatch that can lead to unauthorized collection or misuse of private creator information.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation explicitly requires the user’s full session cookie for all creator endpoints, which is a highly sensitive credential equivalent to authenticated account access. Collecting or transmitting full browser cookies for a nominally read-only query skill creates severe account takeover, privacy, and session hijacking risk if mishandled, logged, reused, or exposed to downstream systems.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manifest says the skill should not be used for account operations, but the documented endpoints retrieve account health, violations, permissions, partner bindings, and other account-level metadata. Even if these are read-only, they are still sensitive account-management information and undermine user expectations about what the skill can access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The whitelist includes `add_video_play_count`, which is explicitly marked `write_operation: true` and `risk: high`, yet the skill metadata says the skill is read-only and should not perform account/content operations. This creates a capability mismatch: an agent or prompt attacker could invoke an action that manipulates engagement metrics, violating user expectations and potentially platform rules.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The whitelist exposes `open_tiktok_app_to_send_private_message`, a private-message initiation capability that is not necessary for a skill described as querying TikTok data. Even if it only deep-links into the app, it can be abused for unsolicited contact flows or social-engineering assistance, expanding the skill beyond passive data retrieval.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as read-only, but the documented endpoint list includes `add_video_play_count`, a state-changing operation that increases video views. This mismatch can cause an agent or user to invoke a write action under false safety assumptions, enabling unauthorized manipulation of engagement metrics and violating the declared trust boundary of the skill.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The out-of-scope section claims there are no interaction write endpoints for actions like likes/comments, yet the same document exposes a play-count increment endpoint. Even if narrower than likes or comments, it is still a write primitive that can be abused to alter platform metrics, and the inconsistency may mislead downstream agents into treating the skill as non-mutating.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes generic crypto, fingerprint generation, guest-cookie acquisition, device registration, and login-request encryption utilities that go well beyond a TikTok data-query skill's stated read-only purpose. These capabilities can be chained to emulate clients, mint tracking identifiers, prepare authenticated-looking traffic, or support account/session abuse, making the skill materially more dangerous in context.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The recipe enables cookie-authenticated access to creator account data, health, violations, earnings, live summaries, and product/video relationships, which goes beyond a generic read-only public TikTok query tool and enters authenticated account-scope operations. Even if nominally read-only, requiring a user's session cookie exposes highly sensitive credentials and private account data, creating a significant risk of unauthorized account access, session misuse, and privacy compromise if the skill is invoked or handled insecurely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The recipe explicitly documents browser fingerprint generation, encryption of fingerprint-derived data, and msToken generation, which are capabilities outside the skill's declared read-only TikTok data-query purpose. In this context, these functions can facilitate request spoofing, session/token fabrication, or anti-bot evasion, making the skill materially more dangerous than its manifest suggests.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented behavior extends beyond passive data retrieval into token-generation and fingerprinting workflows, creating a mismatch between the published trust boundary and the actual capability set. That mismatch is dangerous because operators or downstream agents may invoke the skill assuming low-risk read-only behavior while it exposes mechanisms commonly used to simulate clients and bypass service protections.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is declared read-only and not for account operations, yet the reference explicitly documents login-request encryption/decryption and broader account/session cryptography. That creates a clear capability mismatch: an agent using this skill could handle credentials or facilitate account-access workflows despite the stated scope, increasing risk of credential misuse and unauthorized account operations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Documenting device registration and guest-cookie acquisition extends the skill beyond passive content lookup into session/bootstrap mechanics used to impersonate or emulate clients. In a read-only TikTok data skill, these primitives materially increase the ability to automate scraping or access flows that depend on synthetic device/session state.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Generating a hashed ID from an email address is not necessary for ordinary TikTok content or profile queries and introduces an identity-linked transformation primitive. Even if the output is hashed, this can support user correlation, enumeration, or downstream account-targeting workflows outside the skill's stated purpose.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.