ClawHub

Temu Cancel Order Global

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a Temu order-cancellation integration, but it also grants broad authenticated Temu API and file-download access plus weakly protected local token handling.

Install only if you trust LinkFox with Temu seller access and are comfortable with this skill acting as a broad Temu API gateway, not just a cancel-order tool. Use least-privilege/short-lived tokens where possible, avoid saving tokens locally unless necessary, protect or delete ~/.linkfox/temu-access-tokens.json, and require a clear manual confirmation before any cancellation or order-state-changing call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script enumerates locally saved Temu access tokens and can optionally print them unmasked via user-controlled input. That capability is sensitive credential exposure and is unrelated to the skill’s declared order-cancellation functionality, which increases concern that the skill contains unnecessary secret-access behavior that could aid account compromise or lateral misuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file’s behavior does not implement cancellation APIs; instead it outputs locally stored access tokens. Scope mismatch is dangerous in security-sensitive agent skills because users or operators may trust the package as a cancellation integration while it quietly includes credential-discovery functionality, expanding the attack surface and creating opportunities for secret leakage.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script explicitly stores an access token locally for reuse in other operations, expanding credential lifetime and attack surface beyond the immediate cancel-order workflow. In a skill scoped to cancel-order actions, persistent reusable credentials can be abused by other local processes, users, or later tool invocations if the token store is compromised or insufficiently protected.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements a generic Temu signed file download capability, which is unrelated to the stated purpose of a cancel-order skill. A mismatched capability expands the tool's authority and can let the skill retrieve arbitrary signed resources or data through the gateway when users or downstream agents expect only order-cancellation operations.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring explicitly advertises a signed file download tool, directly contradicting the skill's cancel-order metadata. This inconsistency is dangerous because it signals hidden or mispackaged functionality, increasing the chance that reviewers, users, or orchestration systems grant broader access than intended.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script exposes a file download capability in a skill whose declared purpose is Temu Global order cancellation. That mismatch expands the effective privilege/scope of the skill and can enable unauthorized retrieval of remote files or sensitive data through the gateway, especially if callers can supply arbitrary URLs and access tokens.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script is a generic Temu API proxy: it accepts an arbitrary 'type' and forwards arbitrary 'params' along with a resolved access token to the upstream proxy URL. That behavior exceeds the skill's declared cancel-order-only scope, enabling callers to invoke unrelated Temu APIs and potentially abuse the skill as a broad authenticated API tunnel.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring explicitly describes a general-purpose 'Temu API Proxy' and its example uses a non-cancel-order API ('bg.goods.category.mapping'), contradicting the stated skill purpose. In a security-sensitive agent environment, this mismatch is dangerous because it signals hidden capability expansion and increases the chance the agent will route unrelated, privileged actions through this skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly recommends storing Temu access tokens on disk in a local JSON file and provides commands that place raw credentials into command history and local storage, but it does not warn that these tokens are sensitive secrets or describe protections such as file permissions, encryption, or secret-manager use. If a workstation, shell history, backup system, or home directory is exposed, an attacker could recover the token and use it to access Temu business APIs through the documented workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes an order-cancellation approval operation that changes transaction state and can cause financial or fulfillment impact, but it does not prominently warn that approving cancellation is a destructive business action requiring explicit user confirmation and authorization checks. In an agent setting, this omission increases the chance that an LLM-driven workflow will execute the action automatically or with insufficient user awareness, especially because the skill is designed to trigger on natural-language cancellation requests.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This documentation exposes a state-changing order-cancellation capability and describes how to invoke it, but it does not include an explicit operational warning, confirmation requirement, or clear guardrails about when the action is irreversible or business-sensitive. In an agent skill context, that omission increases the risk that an automated workflow could cancel merchant orders based on ambiguous user requests or incomplete verification, causing financial loss, fulfillment disruption, and customer-impacting mistakes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it to a local store, but it does not warn that the token is a sensitive credential equivalent to account/API access. In the context of order cancellation and shipping operations, leakage or insecure local retention of this token could allow unauthorized API calls, including order-related actions across the Temu Global environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This script prints the retrieved access token directly to stdout in JSON, which can expose credentials to terminal history, logs, calling processes, orchestration layers, or other users with access to captured output. In an agent skill context, stdout is commonly consumed by other components and may be persisted, making secret leakage materially more dangerous than in a purely local one-off script.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script solicits an access token on the command line and states it will be saved locally for reuse, but provides no explicit warning about credential persistence, storage location, or security implications. This is dangerous because users may unknowingly leave sensitive tokens in shell history or on disk, enabling credential theft and unauthorized API access.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal