tiktok-app-marketing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs collecting and embedding secret API keys verbatim into config files and shell commands (e.g., export RC_API_KEY=sk_your_key_here, config.imageGen.apiKey, uploadPost.apiKey), which requires the agent/LLM to handle/display secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 "Competitor Research (Requires Browser Permission)" and related docs explicitly instruct the agent to browse TikTok and public app store pages and ingest/analyze user-generated posts, comments, and competitor content—data the agent must interpret and that directly drives hook generation, posting decisions, and the feedback loop.