If you find a security issue in TokIntel, please do not open a public issue. Report it privately so it can be fixed before disclosure.

• Open a private security advisory: https://github.com/Thyfwx/TokIntel/security/advisories/new
• Or contact me directly through GitHub: @Thyfwx

I aim to acknowledge within 7 days, and credit you in the fix.

This tool reads public TikTok profile data, runs locally, and stores results under reports/. Useful things to look at:

• Input handling: anything that reaches fetch_user, the pivot URL builders in osint_pivots, or the clickable-link helpers (_osc8, _safe_link).
• Terminal escape injection in the OSINT pivot output, and which link schemes are made clickable (only http/https).
• Filesystem write paths (everything writes under reports/).
• Supply chain in requirements.txt and the launcher install step.
• Optional login mode (off by default): for accounts behind audience controls, a TikTok session is read at runtime from TIKTOK_COOKIE / TIKTOK_SESSIONID, a gitignored tiktok_session.txt, or your own browser via browser-cookie3. It is held in memory for the request only and never written to a report, a log, the screen, or the repo, and nothing about it ships in the source.

Out of scope: the TikTok service itself, network attacks on the host machine, and anything in the original HackUnderway/TokIntel repo unrelated to this fork.