TikTok Uploader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it needs TikTok account session access and can upload or schedule posts on the user's behalf.

Install only if you are comfortable letting this skill act on your TikTok account. Prefer providing a local cookie-file path instead of a raw sessionid or cookie values, keep that file private, rotate or revoke the session if exposed, and verify each video, caption, visibility setting, and schedule before upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to obtain and handle raw TikTok authentication artifacts such as cookies.txt exports, cookie lists, and a live sessionid. These are effectively bearer credentials for the user's account, and the file does not include strong warnings, minimization guidance, or safer handling boundaries, so users may disclose high-value secrets to the agent unnecessarily.

Ssd 3

High

Confidence: 97% confidence
Finding: This skill's core workflow depends on collecting live TikTok authentication material from the user, including session cookies and session IDs, which gives the agent access to an active account. In an agent context this is especially dangerous because these secrets can be retained in logs, memory, traces, or downstream tooling, and compromise enables full account misuse until the session is revoked.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal