The Agent Skills Directory

[DATA_EXFILTRATION]: The skill requires a 'KEYAPI_TOKEN' and communicates with the vendor's primary server at 'https://mcp.keyapi.ai'. This behavior is essential for the skill's intended purpose of retrieving TikTok data via the KeyAPI service. The runner script stores the token in a local '.env' file, which is a standard and documented practice for local development environments.
[COMMAND_EXECUTION]: The skill includes a Node.js script ('scripts/run.js') that facilitates tool execution. This script handles complex operations such as auto-pagination, local caching in '.keyapi-cache/', and the conversion of cover image URLs from vendor-controlled infrastructure ('echosell-images.tos-ap-southeast-1.volces.com') via the 'batch_download_cover_images' tool.
[PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection as it ingests untrusted external content, specifically TikTok video comments and captions, into the agent's context for analysis.
Ingestion points: Data is retrieved via tools such as 'get_video_comments' and 'get_video_captions' through the 'scripts/run.js' runner.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the documentation for handling this data.
Capability inventory: The skill has the capability to write to the local filesystem (caching) and perform network operations to the configured MCP server.
Sanitization: No explicit sanitization of the retrieved TikTok content is performed within the provided scripts, relying on the underlying agent's own safety guardrails.

keyapi-tiktok-content-analysis