@gecho-ai/gecho-bridge-bundle

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real TikTok search bridge, but it needs Review because its local service can run in the background, accepts unauthenticated localhost control, and can write scraped data to caller-chosen paths.

Install only if you trust Gecho AI and are comfortable giving a local MCP service access to a logged-in Chrome/TikTok workflow. Before use, choose a dedicated save directory, avoid shared or synced folders for scraped data, and be aware that local processes or browser pages may be able to interfere with the unauthenticated localhost service. This review does not find artifact-backed exfiltration or malware behavior, but the local control and file-write scope should be read carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The HTTP server exposes POST /shutdown on 127.0.0.1 and immediately schedules gracefulShutdown() with no authentication, authorization, CSRF protection, or origin validation. Any local process, browser page able to target localhost, or malware running as the same user can terminate the service on demand, causing denial of service and interrupting active jobs.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The client can silently start and restart a local server process even though the exposed MCP tool interface only presents search/insight functions. That expands the trust boundary from simple request forwarding to local process orchestration, which can persist background code execution and make unexpected service replacement or restart behavior hard for users and hosts to detect.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: Although the code limits tool names, it forwards all provided arguments directly to the backend with no schema enforcement or field allowlisting before sending JSON to the service. If the downstream service accepts hidden or dangerous parameters, an MCP caller can reach undocumented capabilities or influence file paths and behavior beyond what the client documentation suggests.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The code accepts a caller-controlled save_dir value and, if it ends with .json or .csv, uses it directly as the output file path. An attacker who can access the local HTTP API can cause arbitrary file write/overwrite within the privileges of the service, which can corrupt application files, plant data in sensitive locations, or potentially achieve code execution depending on where files are written.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly encourages large-scale scraping, local persistence of collected data, and AI-driven analysis, but it does not provide meaningful guidance on privacy, terms-of-service, consent, retention, or handling of potentially personal data. In an agent skill context, this omission increases the chance that users will deploy the tool to collect and store data in ways that violate platform rules or expose sensitive information on disk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README explicitly promotes automatic saving of large amounts of scraped TikTok data to local JSON files, but it does not clearly warn users about privacy, legal, or data-retention implications. In an agent-driven tool, silent or poorly explained persistence increases the chance that sensitive scraped content or account-linked data is stored unexpectedly and mishandled.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The service accepts unauthenticated POST requests to /shutdown and responds with success before invoking gracefulShutdown(). In the context of a localhost automation bridge, this is especially risky because many threat models include malicious local software or webpages probing localhost services, making remote-triggered availability loss realistic.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code writes scraping results to payload.save_dir, which is caller-controlled, and treats either a directory or full file path as valid without constraining it to an approved base directory. A client that can reach this localhost API can overwrite or create arbitrary JSON/CSV-named files accessible to the service account, which can corrupt user data, poison application state, or facilitate follow-on attacks depending on writable locations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill persistently writes scraped TikTok data to local files automatically, including a fixed filename and timestamped backup, without explicit user consent or a clear notice in the tool contract. This creates a privacy and data-governance risk because scraped content may contain personal or sensitive data, and silent local retention increases exposure to unintended disclosure on the host system.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code launches a detached background Node process with stdio ignored and no user-facing disclosure. Silent persistent subprocess creation reduces transparency, bypasses operator expectations, and can be abused to keep local code running after the client exits, which is especially risky in agent/tooling environments.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly encourages saving large TikTok result sets to disk, but provides no warning that the exported metadata may contain sensitive or regulated information, nor any guidance on retention, access control, or safe storage locations. In an agent setting, automatic local persistence can create unintended data exposure, especially on shared workstations or synced directories.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instruction to always proactively generate an absolute save path increases the likelihood of silent disk writes without the user's awareness or review of the target location. This is risky because agents may persist scraped/exported data into insecure, shared, or unexpected paths, leading to unnecessary data retention and potential leakage.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal