tiktok-research-kit

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at YouTube transcript extraction, but it includes under-scoped guidance around browser session cookies and an external download-service reference that users should review before installing.

Review this skill before installing. Use it only for content you are allowed to access, avoid third-party downloader sites, and do not enable browser-cookie fallback unless you understand that it may expose active YouTube/browser session data to local tooling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill states it does not support downloading, yet it promotes a third-party download service in adjacent documentation. This can steer users from a local-analysis workflow to an external site, increasing phishing, tracking, malware, or data-exposure risk outside the trusted toolchain.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Advising use of `--cookies-from-browser chrome` without a privacy or credential-safety warning is dangerous because it encourages access to browser-stored authenticated session data. In an agent skill context, this can normalize handling of sensitive cookies and may lead users to expose account sessions or over-collect data beyond what is necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal