Temu Add Product US

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Temu product-management purpose, but it should be reviewed because it stores and can reveal seller access tokens while also exposing broad live marketplace actions.

Install only if you are comfortable giving this skill and the LinkFox gateway access to Temu seller credentials. Prefer least-privilege, short-lived tokens; avoid saving tokens locally when possible; do not print or unmask saved tokens; avoid the generic proxy for unreviewed actions; and require explicit review before product, inventory, or pricing changes go live.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This script retrieves a stored Temu access token and returns it verbatim in stdout, turning a product-management skill into a credential-extraction utility. In an agent environment, stdout is commonly captured, logged, or surfaced to downstream tools or users, so exposing bearer tokens can enable unauthorized API access beyond the intended skill boundary.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code emits authentication credentials in JSON output even though the skill description is limited to product operations such as add product, inventory, category mapping, and related APIs. This mismatch increases risk because a caller invoking a seemingly narrow business skill can obtain reusable credentials that may be replayed directly against Temu or adjacent systems.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This script persists a Temu access token to a local store for later reuse, creating a long-lived credential cache on disk or another local persistence layer. Storing bearer tokens locally expands the attack surface beyond the declared Add Product/API gateway behavior and increases the risk of credential theft through local compromise, accidental inclusion in backups, logs, or workspace artifacts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs users to persist Temu access tokens locally in a predictable file path and shows example commands containing raw token material, but it does not include explicit guidance on protecting that file or avoiding shell history exposure. Because these tokens authorize business API actions, compromise of the local machine, backups, logs, or history files could allow unauthorized access to product, inventory, or pricing operations.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation explicitly instructs users to transmit sensitive credentials such as LINKFOX gateway API keys and Temu access tokens, but it does not warn against logging, sharing, or exposing those secrets in examples and operational workflows. In a skill context, this increases the risk of credential leakage through shell history, chat transcripts, screenshots, debugging output, or misconfigured client code.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs users to copy an access token from the Temu seller backend and optionally save it locally, but it does not warn that the token is a sensitive credential or describe secure storage requirements. In an authorization-flow document for API access, this omission increases the chance that users will store long-lived tokens insecurely, exposing account access if the local store, logs, or workstation are compromised.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The line explicitly states that `scripts/temu_us_proxy.py` can transparently pass through arbitrary `type` values, which materially expands capability beyond the enumerated, documented operations. In an agent setting, this can bypass intended trigger boundaries and allow invocation of undocumented or high-risk Partner APIs, including state-changing actions, making prompt abuse or accidental misuse significantly more dangerous.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This section documents multiple write-capable operations such as product update, migration, stock update, and product add/publish, but provides no safety guidance that these actions modify live marketplace data. In an agent workflow, lack of explicit warnings and confirmation requirements increases the chance of unintended inventory, pricing, or catalog changes from ambiguous or over-broad user requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide explicitly tells users to manually copy and save an access token but does not warn that the token is a sensitive credential with account-level API access. In a credential-handling workflow, omitting handling precautions increases the chance users paste tokens into insecure locations, logs, chats, or improperly protected storage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions direct users to select broad regular and special permissions and then copy the resulting access token, but provide no least-privilege guidance or warning about the consequences of over-scoped authorization. In this skill context, that is more dangerous because the skill is product-focused, so encouraging broad scopes can grant unnecessary access to unrelated seller operations if the token is misused or leaked.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This flow instructs users to grant both general and sensitive permissions and copy the token without any warning about least privilege, credential sensitivity, or downstream risk. Because the module is an authorization guide, users are likely to follow it verbatim, so the absence of safeguards materially increases the chance of unnecessary privilege grant and credential mishandling.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code persists Temu access tokens to a local JSON file in plaintext without any controls such as restrictive file permissions, encryption, or an explicit warning to users that long-lived credentials are being stored. If the host is shared, compromised, backed up to less-trusted locations, or the file permissions are too broad, an attacker or another local user could recover tokens and access seller APIs.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Printing a bearer token to stdout is inherently unsafe because command output may be recorded in shell history, CI logs, agent transcripts, telemetry, or error reports. Even absent explicit maliciousness, this creates a straightforward secret leakage path that can compromise the associated store account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal