ClawHub

Ehunt Temu Category Search

Security checks across malware telemetry and agentic risk

Overview

The Temu category lookup is mostly coherent, but its bundled helper is broader than the stated purpose because it can run arbitrary local Python scripts and read arbitrary JSON files.

Install only if you are comfortable with a LinkFox credential-backed Temu lookup skill that includes a broad local response helper. Use the direct category-search script or MCP tool when possible, keep response output in a temporary directory, delete saved files after use, and do not use response_io.py with scripts or JSON files outside the intended task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timed_out = False
    try:
        proc = subprocess.run(
            [sys.executable, str(main_script), args.params],
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
proc = subprocess.run( [sys.executable, str(main_script), args.params], capture_output=True, text=True, encoding="utf-8", errors="re

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This helper is explicitly generic and business-agnostic, persisting arbitrary script output and later extracting fields from saved files. That capability materially exceeds a narrow Temu category search skill and increases the attack surface for unintended data collection, retention, and exfiltration from unrelated workflows.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The _resolve_script function accepts any absolute or relative file path and treats any existing file as an executable target for the run subcommand. In the context of a category-id lookup skill, this is unjustified privilege expansion that enables execution of unrelated local code and makes the skill much more dangerous than its metadata suggests.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The read subcommand accepts an arbitrary file path and parses it as JSON, then provides structured extraction and alternate output formats. For a Temu category search skill, this amounts to a general local file-inspection tool that can expose unrelated sensitive JSON data if the agent can reference accessible files.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger wording is broad enough to activate on generic Temu category-related requests, including cases where the user did not explicitly ask to query the EHunt-synced local dataset. Over-broad triggering can cause unintended tool use, unnecessary data access, and action taken under the wrong assumptions about source, freshness, or user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The run path always writes captured stdout to disk, even on failure or timeout, without any consent, minimization, or classification of the data being stored. If the wrapped script emits secrets, personal data, or tokens, those are persisted locally and may later be read back, expanding exposure beyond the immediate execution context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal