Temu Ads Global

Security checks across malware telemetry and agentic risk

Overview

This Temu ads skill is not clearly malicious, but it needs review because it handles live ad changes, plaintext tokens, and broad proxy calls beyond a narrow ads-only scope.

Install only if you trust LinkFox with Temu credentials and advertising data. Use least-privilege, short-lived tokens; avoid saving production tokens locally on shared machines; do not print or list unmasked tokens; keep use to documented ads endpoints; and require explicit confirmation before creating, deleting, pausing, or changing budgets/ROAS.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is presented as an Ads-focused integration, yet the script list includes generic multi-site proxy and token-management utilities outside that scope. This increases danger because a narrowly trusted operational skill now doubles as a broader access tool, making abuse or accidental misuse more likely.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Persisting, listing, and retrieving Temu access tokens locally is a sensitive credential-management function that is not justified by the stated Ads forwarding purpose. Local token storage materially raises the risk of credential theft from disk, accidental disclosure to other processes or users, and misuse of long-lived access beyond the original task.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The catalog states that this ads skill routes requests through `temu_global_proxy` with a default `tokenPurpose=product-inventory`, which appears misaligned with an ads-specific capability. Using a broader or unrelated token purpose can violate least-privilege expectations, increase accidental access to non-advertising data/functions, and cause operators or downstream tooling to reuse higher-privilege credentials in an advertising workflow.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documentation defaults to `product-inventory` authorization for an ads-only skill without showing a clear necessity. In practice, undocumented scope expansion encourages overprivileged token use, making mistakes or abuse more damaging if the proxy or connected scripts accept additional operations beyond the intended ads functions.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This script exposes a local capability to enumerate stored Temu access tokens, and it even supports disabling masking via user input. That functionality is not aligned with the advertised Ads API gateway purpose, so it expands the attack surface and could enable credential discovery by a local attacker, compromised agent, or abused workflow.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The proxy accepts an arbitrary user-supplied "type" value and forwards it directly to the backend Temu proxy, with no enforcement that the requested operation belongs to the skill's advertised Global Ads scope. In an agent environment, this creates a capability-expansion flaw: a skill presented as ads-only can be used to invoke unrelated Temu APIs, potentially including product, order, promotion, or other privileged operations if the provided access token permits them.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes saving and retrieving access tokens locally without warning users that sensitive credentials will be written to disk or instructing them how to protect that storage. This omission is dangerous because users may unknowingly create plaintext credential stores on shared or insecure systems.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill exposes gateway endpoints and example requests that include API keys and access tokens, but it does not clearly warn that these secrets and request payloads are transmitted to a remote LinkFox-controlled gateway. In this context, the omission matters because users may assume direct Temu interaction rather than third-party credential and data relay.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This documentation explicitly exposes destructive advertising operations such as delete, pause, enable, budget changes, and ROAS changes without any warning, confirmation guidance, or operational safeguards. In an agent skill context, that increases the chance an agent or user will trigger impactful production changes unintentionally, causing campaign disruption or financial loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example command shows a ready-to-run production-style invocation that can directly modify live ad settings, yet it lacks any safety notice, sandbox guidance, or confirmation requirement. This is dangerous because users or downstream agents may copy-paste it into automation and unintentionally alter advertising spend or campaign behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs users to copy an access token from the Temu seller backend and optionally save it locally, but it does not warn that the token is a sensitive credential equivalent to API authentication. In an authorization-flow document for ad-management APIs, this omission increases the chance of insecure handling, accidental disclosure, or unsafe local persistence that could enable unauthorized access to seller advertising data and operations.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The file says requests are sent through `temu_global_proxy` (`POST /temu/proxy`) with a default token purpose, but it does not clearly warn users that advertising/account data will transit an intermediary service rather than going directly to the upstream API. That missing disclosure can lead to unintentional data sharing, weaker trust boundaries, and insufficient review of what sensitive business data the proxy can observe or log.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide explicitly tells users to manually copy an access token and save it, but it does not clearly label the token as a sensitive secret or warn against exposing it in logs, chats, files, or source control. In an agent skill context, operational guidance is likely to be followed directly, so missing handling warnings can lead to credential leakage and unauthorized API access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: These steps instruct users to select broad permissions and then copy the resulting access token, but they do not explain the security implications of granting all regular and special permissions. That combination increases blast radius if the token is mishandled, especially in a skill that operationalizes API access for ads and commerce workflows.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The file download helper accepts a user-controlled URL and forwards it together with an access token to a backend download endpoint, which can enable SSRF-like behavior or token misuse if the downstream service fetches arbitrary URLs. In the context of an agent skill that may process user input, this is more dangerous because an attacker could supply crafted URLs to make the backend access internal resources or untrusted hosts while authenticated context is attached.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists bearer access tokens in plaintext JSON on the local filesystem without setting restrictive file permissions, encryption, or any user-facing warning that sensitive credentials are being stored. If another local user, backup system, malware process, or misconfigured home-directory sync can read the file, the tokens could be reused to access Temu advertising accounts and related business data.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script prints the raw access token to stdout in JSON, which can expose credentials through terminal history, logs, orchestrator output capture, or downstream tool chaining. In an agent/skill environment, stdout is often collected or surfaced to users and other components, making credential disclosure materially more dangerous than in a strictly local interactive script.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script explicitly accepts an access token from the command line and stores it locally for later reuse, which creates credential exposure risk. Tokens supplied via CLI arguments can be visible in shell history, process listings, logs, or backups, and local persistence without clear protection requirements increases the chance of compromise if the host or workspace is shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal