ClawHub

Temu Ads EU

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Temu EU Ads integration, but it can handle live ad-spend changes and credentials with broader proxy and token-handling powers than are safely scoped.

Install only if you trust LinkFox and need live Temu EU Ads automation. Prefer the specific eu_ads_* scripts over the generic proxy, confirm every create/delete/pause/budget/ROAS change before running it, avoid saving tokens locally unless necessary, and do not print raw tokens in shared terminals, logs, or agent transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities to read environment secrets, write files, and make outbound network requests, but it does not declare permissions or constrain those capabilities. In practice this reduces transparency and weakens any policy enforcement around sensitive operations such as accessing API keys, storing tokens locally, and sending data to external gateways.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is a narrow EU Ads integration, but the documented behavior includes generic proxying, file download, token validation, and local token persistence. That mismatch creates a confused-deputy risk: users or orchestrators may invoke the skill expecting limited ad operations while it can handle broader account and credential workflows that expose or misuse sensitive tokens.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script adds a generic signed file download capability even though the skill metadata describes an EU Ads management skill focused on campaigns, groups, creatives, bidding, budgets, and reports. Expanding scope to arbitrary file retrieval increases the attack surface and can enable unintended access to signed resources or data flows not expected by users of an Ads-only skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code accepts a caller-supplied URL directly and forwards it to the backend file download API without validating that it belongs to an expected Temu Ads domain, path, or resource type. In a skill context, this can be abused to fetch arbitrary signed URLs, potentially exposing sensitive files, enabling unauthorized data access, or misusing privileged partner credentials through an overly broad proxy operation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is explicitly implemented as a generic 'Temu API Proxy' that forwards requests via a broad proxy endpoint, while the skill metadata claims an EU Ads-specific capability. This scope mismatch is dangerous because it can enable users or downstream agents to invoke unrelated Temu APIs through a skill that appears constrained to advertising, undermining least privilege and policy assumptions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code accepts arbitrary 'type' values and passes through arbitrary nested 'params' directly to the backend proxy with the caller's access token, without enforcing that the request belongs to EU Ads operations. In this skill context, that makes the issue more dangerous because a user invoking an Ads-labeled skill could reach non-Ads Temu APIs such as goods or other partner endpoints, causing unauthorized actions, data access, or cross-domain privilege expansion.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger terms include broad phrases like Ads, budget, report, and campaign language that can match ordinary conversations and cause the skill to activate unexpectedly. In a skill with network access and token-handling features, overbroad triggering increases the chance of unintended data flow or surprising external API calls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown explicitly references saving, listing, and reading Temu access tokens from local storage and using gateway/network scripts, but it does not provide a clear warning about privacy, retention, local file security, or what data is transmitted externally. This can lead users to unknowingly persist high-value credentials on disk or send them to a gateway without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes a workflow that includes creating, modifying, pausing, and deleting live ads, but it does not warn users that these actions can immediately affect production advertising spend, campaign delivery, or reporting. In an agent skill context, missing safety guidance increases the risk of unintended real-world state changes from ambiguous or poorly confirmed user requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users how to create live ads by supplying budget and ROAS values, but it does not clearly warn that this is a state-changing operation that can immediately affect advertising delivery and spend. In an agent skill, omission of such warnings increases the chance of accidental ad creation or unintended budget allocation through automation or user misunderstanding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation exposes destructive ad-management operations such as delete, pause, open, budget change, and ROAS change without any explicit warning, confirmation requirement, or operational safeguards. In an agent skill context, that omission increases the chance that an LLM or user will invoke high-impact state-changing actions unintentionally, causing advertising disruption or financial loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example command shows a ready-to-run live modification request against production ad objects with no caution that it will change budget/ROAS in a real account. In practice, users or automated agents may copy the example directly, leading to unintended spend changes or campaign disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it locally, but it provides no warning that the token is a sensitive credential or guidance on secure storage and handling. In an authorization-flow document for an ads integration, this omission increases the likelihood of credential leakage through local files, shell history, screenshots, shared machines, or insecure stores, which could enable unauthorized API access to ad accounts and related business data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in plaintext JSON on the local filesystem without setting restrictive file permissions, encryption, or any explicit safeguards. In an agent skill handling advertising accounts, these tokens likely grant API access to campaign, budget, and reporting operations, so local compromise, backup leakage, or accidental file exposure could disclose reusable credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script prints a live Temu access token directly to stdout, which can be captured by shell history, terminal scrollback, logs, parent processes, orchestration tooling, or other components in the agent pipeline. In a skill context that brokers advertising API access, exposing bearer tokens in plaintext materially increases the chance of credential leakage and unauthorized API use if any downstream component records command output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script explicitly accepts an access token and persists it to a local token store for later reuse, but the interface shown in the docstring and CLI flow provides no warning about credential persistence, retention, or storage protections. In an agent/automation context, this increases the chance that operators paste production credentials that remain on disk longer than expected, where they may be recovered by other local users, backup systems, logs, or subsequent tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal