Skills
skills/nexscope-ai/nexscope-ecommerce-skills/tiktok-product-video/Gen Agent Trust Hub

tiktok-product-video

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/response_io.py utility uses subprocess.run() to execute the skill's data-fetching scripts. This pattern is part of the skill's architecture for handling large data volumes by persisting them to the file system and allowing selective extraction, which helps avoid agent context window limits.
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to the NexScope proxy API to retrieve TikTok video metadata. This is a core feature of the skill and utilizes the vendor's own infrastructure.
  • [PROMPT_INJECTION]: The skill processes untrusted metadata from the TikTok API, such as video descriptions and hashtags, which provides a surface for indirect prompt injection.
  • Ingestion points: API response fields (videoDesc, hashTag) retrieved by scripts/tiktok_product_video.py and processed by scripts/response_io.py.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the processing logic.
  • Capability inventory: The skill has the capability to execute local scripts via subprocess and perform network operations.
  • Sanitization: No sanitization or filtering of the retrieved video content is performed before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 07:06 AM
Security Audit — agent-trust-hub — tiktok-product-video