tikhub-api-helper

Fail

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file api_client.py contains a hardcoded API token vZdfXsQS3nNTqVRrVysjLT4kjaa6yL0gTnBk/aTAi8aA== assigned to the DEFAULT_TOKEN variable.\n- [COMMAND_EXECUTION]: The skill instructions in SKILL.md direct the agent to execute api_searcher.py and api_client.py with arguments derived from user input, facilitating local script execution.\n- [DATA_EXFILTRATION]: The api_client.py script makes outbound HTTP requests to api.tikhub.io and api.tikhub.dev to fetch data. This enables the transmission of data to external domains associated with the TikHub service.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external social media APIs and provides it to the agent.\n
  • Ingestion points: Responses from TikHub API endpoints processed in api_client.py.\n
  • Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands in the API data.\n
  • Capability inventory: Execution of local Python scripts with command-line arguments and network access.\n
  • Sanitization: None; data is printed to the console and incorporated into the agent's context without validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 29, 2026, 06:46 AM
Security Audit — agent-trust-hub — tikhub-api-helper