ClawHub

Temu Ads US

Security checks across malware telemetry and agentic risk

Overview

This Temu ads skill can manage live ads, but it also includes broad proxy and plaintext token tools that expose credentials and go beyond an ads-only scope.

Install only if you are comfortable giving this skill access to Temu seller tokens and live advertising operations. Treat it as a Review item: restrict use to trusted workspaces, avoid saving plaintext tokens where possible, do not use mask:false or raw token output in logs, require human confirmation before create/modify/delete/pause/budget actions, and prefer a narrower ads-only version with API allowlists and secure token storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that use environment secrets, local file writes, and outbound network access, but it does not declare permissions or constrain those operations. This creates a transparency and governance gap: a user or platform may authorize the skill for narrow ad-management tasks while it can also persist tokens locally and call external endpoints, increasing the chance of secret misuse or unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is a Temu US Ads skill, but the documented behavior includes generic proxying for arbitrary API types, token lifecycle utilities, local token persistence, signed file download, and support for non-US/non-ads contexts. That mismatch materially broadens the operational scope beyond what a user would reasonably expect, enabling overbroad access paths and making it easier to misuse the skill as a general gateway for unrelated Temu actions or sensitive token handling.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The helper hard-codes DEFAULT_TOKEN_PURPOSE to "product-inventory" even though the skill is advertised as Ads-only. That creates a scope/intent mismatch: if callers omit tokenPurpose, the code may silently obtain or use a token for a different product domain, expanding effective capability beyond the declared skill boundary and increasing the chance of cross-scope API access or accidental misuse.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file download helper accepts an arbitrary URL from params and forwards it with an access token to a download endpoint, giving the skill a generic remote retrieval primitive that is not reflected in the Ads-focused description. In context, this broadens the skill from ad-management actions into potentially unrestricted external resource access, which can enable data exfiltration, retrieval of untrusted content, or abuse of authenticated download paths.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script adds local access-token enumeration capability that is outside the stated Temu US Ads integration purpose. Even though tokens are masked by default, the `mask: false` option enables disclosure of raw credentials, increasing the chance of accidental exposure, misuse by other local components, or operator abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script explicitly exposes stored access tokens through a user-controlled parameter: passing `{"mask": false}` causes raw tokens to be printed. Access tokens are authentication secrets, so any ability to list them creates a direct credential-disclosure path that can enable unauthorized API access, account takeover of the connected Temu advertiser context, and downstream abuse of ads data or campaign management.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file is implemented as a generic Temu API proxy that forwards arbitrary API `type` values and parameters, while the skill metadata claims the skill is limited to Temu US Ads functionality. This scope mismatch can let callers reach unrelated Temu endpoints through the LinkFox gateway, undermining least-privilege expectations and enabling unauthorized use of broader commerce or account functionality.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring and usage examples describe a generic Temu API proxy and even show a non-ads endpoint (`bg.goods.category.mapping`), directly contradicting the advertised ads-only purpose of the skill. In a security-sensitive integration, misleading documentation increases the likelihood that operators and users will over-trust the skill's scope while it is capable of broader API access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that Temu access tokens can be saved locally, but it provides no visible warning about persistence risks, storage location, retention, file permissions, or how to revoke compromised tokens. Persisting bearer tokens without prominent safeguards increases the risk of credential theft from local files, backups, logs, or shared environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly recommends saving Temu access tokens to a local file but does not warn that these tokens are sensitive credentials or describe how local storage can expose them through weak file permissions, backups, shared machines, shell history, or malware. In this skill context, the risk is more significant because the token enables access to business APIs for store operations, so accidental disclosure could lead to unauthorized access or misuse of merchant data and actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly describes operational ad-management actions including creating, modifying, pausing, and deleting ads, but does not include an explicit warning that these actions can spend budget, interrupt campaigns, or cause business-impacting changes. In an agent skill context, this omission increases the chance that an automated system or user invokes impactful write operations without sufficient confirmation or safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation describes an API that creates ads and sets budget/ROAS parameters, but it does not prominently warn that invoking it can launch paid advertising and consume real ad budget. In an agentic context, that omission is dangerous because a user or downstream automation may treat the action as routine data management rather than a spend-authorizing operation, increasing the risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document explicitly supports destructive ad operations such as delete, pause, and budget/ROAS modification, but it does not include any operator warning, confirmation requirement, or guidance about validating user intent before execution. In an agent skill that may translate natural-language requests into live API calls, this raises the risk of unintended operational changes that can stop campaigns or alter spend behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to manually copy an access token from the seller backend and optionally save it to a local store, but provides no safeguards for secure handling, storage, masking, rotation, or scope limitations. In a skill centered on ad-management APIs, these tokens likely grant access to sensitive merchant operations and reporting, so normalizing copy/paste and local persistence materially increases the risk of credential leakage, misuse, or accidental exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists Temu access tokens in plaintext JSON on local disk, and the save routine does not set restrictive file permissions or provide any warning that long-lived credentials are being stored. If the host is shared, backed up, or compromised, an attacker or another local user could recover the tokens and use them to access or manipulate the linked Temu advertising account.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script retrieves a stored Temu access token and prints it directly to stdout in JSON. In agent, CI, logging, or tool-chaining environments, stdout is commonly captured, persisted, or exposed to downstream components, which can leak bearer credentials and enable unauthorized API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script explicitly persists a sensitive access token to a local store for later reuse, but the user-facing usage/help text does not warn that the credential will be stored beyond the current session. In an agent skill context, silent credential persistence increases the chance of accidental long-term retention, reuse by other components, or compromise if local storage is weak or shared.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal