ClawHub

Temu Cancel Order EU

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a Temu cancellation integration, but it also exposes broad authenticated Temu proxy, file-download, and plaintext token-storage capabilities that go beyond a narrow EU cancel-order workflow.

Install only if you intend to grant this skill broad Temu gateway authority, not just EU cancellation access. Prefer using the six dedicated cancellation scripts, avoid the generic proxy and file-download helpers unless you understand the Temu API call being made, and avoid saving access tokens in the plaintext local store on shared, backed-up, or synced machines. Rotate any token that has been pasted into logs, prompts, shell history, or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The documentation expands the skill from a cancel-order function into a more generic Temu proxy surface, including file download and flexible forwarding via /temu/proxy with caller-supplied type and params. In an agent setting, broader-than-advertised capabilities increase the risk of unintended API access, permission creep, and misuse of stored credentials because users and orchestrators may invoke operations outside the expected cancellation-only boundary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This skill includes a generic token-retrieval utility that can disclose Temu access tokens from a local store, which is broader than the stated EU order-cancellation purpose. In an agent-skill context, exposing credential-retrieval functionality increases the risk of unauthorized reuse of tokens for unrelated API actions and weakens least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script enumerates locally stored Temu access tokens and can optionally print them unmasked, which exposes sensitive authentication material unrelated to the stated order-cancellation functionality. In the context of an API skill, bundled token-discovery utilities increase the risk of credential disclosure, lateral movement, and unauthorized API use if the script is invoked by an operator, another component, or an attacker with local access.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script’s behavior is to accept and persist a Temu access token locally, which is outside the declared purpose of a cancel-order skill. In a skill advertised for order-cancellation workflows, adding credential-storage functionality expands the trust boundary and creates an unexpected secret-handling capability that could be abused or overlooked during review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script introduces local credential persistence without clear justification from the skill’s stated function of cancelling EU orders. Persisting reusable access tokens creates a standing secret on disk, increasing the risk of credential theft, lateral misuse across API operations, or unintended reuse in other proxy/fileDownload flows mentioned in the script header.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements a generic file-download operation even though the skill is described as handling Temu EU order cancellation. That capability mismatch expands the effective privilege/scope of the skill and can enable unintended data retrieval or exfiltration paths if the agent or user can invoke it with arbitrary URLs or file targets. In this skill context, the mismatch is more dangerous because a cancellation-only skill should not need broad download functionality at all.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code exposes a generic wrapper around `eu_file_download_call(params)` using user-supplied JSON parameters, including a URL, with no visible restriction in this file. In a skill whose declared purpose is only order cancellation, such an unrelated download primitive creates an unnecessary attack surface and could be abused to fetch unauthorized files, sensitive documents, or internal resources depending on downstream gateway behavior. The cancellation-focused context makes this more suspicious, not less, because the capability is unjustified by the stated business function.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring frames this as a seller cancel-order proxy, but the implementation accepts any caller-supplied API type and forwards it through a generic EU proxy path. That mismatch can mislead downstream tooling, reviewers, or policy controls into granting broader capabilities than intended, enabling unauthorized Temu EU API actions beyond cancel-order operations.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code directly takes a user-controlled "type" value and passes it to the EU proxy call, making the skill effectively a generic authenticated API forwarder rather than a cancel-order-only integration. In an agent environment, this broadens the capability boundary and can let prompts invoke unintended partner APIs using the provided access token, bypassing the manifest's narrower security expectations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script implements a signed file download capability even though the skill is presented as an order-cancellation integration. That mismatch is dangerous because it expands the skill’s effective privileges and data-access surface beyond user expectations, enabling retrieval of Temu resources through a gateway in a context where such access is not justified.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script accepts an arbitrary URL parameter and forwards it to a file-download API using the caller’s access token, creating a generic resource retrieval primitive. In an order-cancellation skill, this can be abused to fetch unintended signed files or sensitive documents associated with the account, violating least privilege and increasing the risk of data exfiltration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements and documents a generic Temu API proxy even though the skill is declared as an EU cancel-order skill. Because the caller can supply arbitrary API 'type' values and sites, the skill can be repurposed to invoke unrelated Temu operations outside the advertised scope, creating a capability-expansion/confused-deputy risk. In this skill context, that mismatch is more dangerous because users and higher-level orchestration may trust the manifest to constrain behavior to EU cancellation flows when it does not.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module docstring and usage examples advertise broad proxying behavior and unrelated API examples, which normalizes use of this skill as a general-purpose Temu gateway. That increases the likelihood that operators or upstream agents invoke unauthorized or out-of-scope actions, especially since the implementation accepts arbitrary request types. In a skill that is supposed to be narrowly scoped to EU order cancellation, misleading documentation materially increases misuse risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code validates that fields are present but does not constrain 'site' to EU or 'type' to cancellation APIs, allowing arbitrary Temu API invocation through the gateway. This means a caller with credentials can use the skill to access non-EU, non-cancel functions that the manifest and user likely did not authorize, potentially performing unintended account or order operations. The mismatch between declared purpose and effective capability makes this especially dangerous in an agent ecosystem that may grant trust based on the skill description.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger text includes broad natural-language phrases and multiple related business terms, which can cause the skill to activate outside its intended context. Because the skill can perform cancellation-related actions through a gateway, ambiguous activation increases the chance of unintended order operations or invocation during unrelated conversations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly recommends storing Temu access tokens locally in a JSON file and shows commands that persist the raw token, but it does not warn about filesystem permissions, encryption, secret-scanning, or avoiding accidental inclusion in logs/backups. Because these access tokens authorize Temu business API actions, compromise of the local token store could let an attacker act on behalf of the seller account, especially on shared workstations, developer laptops, or CI environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows live usage patterns with API keys and access tokens in command examples but provides no warning about secret handling, redaction, shell history exposure, or safe storage. In an agent and gateway context, this raises the chance that operators paste real credentials into prompts, logs, tickets, or shared terminals, leading to credential leakage and unauthorized access to Temu or LinkFox services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes an API action that approves a buyer-initiated order cancellation, but it does not warn the agent or operator that this is a state-changing business action with potentially irreversible financial and fulfillment consequences. In an agent skill context, missing confirmation and impact guidance increases the chance of accidental or unauthorized cancellation approval, especially because the doc frames the action as a routine next step in a workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it to a local store, but it provides no warning that this token is a sensitive credential or guidance on secure handling. In an agent-skill context, normalizing manual token copying and local persistence increases the chance of credential leakage through logs, screenshots, shell history, insecure files, or reuse in the wrong environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs users to copy an access token and save it via a script/storeKey flow, but it does not warn that the token is a sensitive credential or provide any secure-handling requirements. In an agent skill context, this can normalize unsafe storage or transmission of API tokens, increasing the chance of credential leakage, account/API compromise, and unauthorized order operations if downstream tooling stores tokens insecurely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in plaintext JSON on local disk and does so without setting restrictive file permissions or warning callers that sensitive credentials are being stored. If the host is multi-user, backed up, synced, or otherwise inspected by other local processes, the tokens could be recovered and reused to access the associated Temu accounts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints the raw access token directly to stdout in JSON output, which can leak credentials into agent transcripts, logs, shell history, or downstream tooling. In this skill context, that is especially dangerous because the token appears reusable and is not limited to a single cancellation request, enabling broader account or API abuse if exposed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script stores a sensitive access token locally and only prints a JSON result, without any warning, consent prompt, or disclosure that a reusable credential is being persisted. This is dangerous because operators may paste high-privilege tokens assuming one-time use, while the script silently turns them into locally stored secrets that may later be exposed through filesystem compromise, backups, or shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal