ClawHub

Temu Cancel Order US

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a Temu cancellation workflow, but it also includes broad API proxying, file download, and plaintext token-management tools that deserve careful review before installation.

Install only if you trust LinkFox with Temu order data and access tokens, and only use it with narrowly scoped tokens. Avoid saving tokens locally unless you can protect the file, do not pass real tokens in shell history or chat logs, and require a human confirmation before any cancellation or after-sales approval call. Consider removing or disabling the generic proxy, file-download, and raw token-listing scripts if you only need US order cancellation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable scripts that use environment variables, local token storage, and outbound network access, but it does not declare permissions or clearly constrain those capabilities. This creates a trust gap: users and calling agents may invoke a skill with broader data access and persistence than the manifest suggests, increasing the risk of secret exposure, unauthorized network transmission, or unsafe token handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a narrow Temu US cancel-order skill, but the contents expose materially broader functions: generic API proxying, signed file download, token storage/retrieval, token validation, and multi-region support. That mismatch can cause users or orchestration systems to trust and auto-route sensitive requests to a skill that is capable of far more than expected, enabling data exfiltration, privilege misuse, or unintended actions through the generic proxy path.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This script provides a generic credential-retrieval primitive that can return Temu access tokens for arbitrary store/site/managementType/tokenPurpose combinations, which is broader than the stated cancel-order skill scope. In an agent skill, exposing a reusable token fetcher increases the chance of credential misuse, privilege expansion, or reuse by unrelated workflows if an attacker can influence inputs or invoke the script indirectly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script enumerates locally stored Temu access tokens and explicitly supports disabling masking via a user-controlled parameter, which can reveal usable secrets in plaintext. For a cancel-order skill, a token-dumping utility is not necessary for core functionality, and if run by an agent, operator, or attacker with local access, it materially increases the chance of credential exposure and downstream API abuse.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script introduces a credential-persistence capability that is outside the stated scope of a cancel-order skill. Saving reusable Temu access tokens locally expands the blast radius of the skill: anyone with local access, log access, or later code execution may reuse the token for unrelated API actions, making the mismatch between advertised purpose and actual capability security-relevant.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistently storing an access token is a sensitive capability because the token can typically be replayed to act as the user or store against external APIs. In a cancel-order skill, this is not obviously necessary and creates a durable secret on disk that could be stolen from the host, backups, or adjacent tooling, enabling unauthorized order, inventory, or account actions beyond the immediate request.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This file implements a generic signed-file download capability even though the skill is described as a Temu US cancel-order integration. That mismatch expands the skill's effective scope and can enable unauthorized retrieval of signed resources through the LinkFox gateway, violating least privilege and potentially exposing sensitive files if the skill is invoked outside its stated purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script forwards an arbitrary Temu API 'type' and user-supplied 'params' through a generic proxy, even though the skill is described as cancel-order-specific. This creates a scope-bypass condition where callers can invoke unrelated Temu operations through a skill that users and policy controls may trust for a much narrower purpose.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module docstring and usage text advertise a generic Temu API proxy, which contradicts the skill's stated cancel-order-only purpose. Misleading capability descriptions are dangerous because operators, reviewers, and downstream policy engines may approve or expose the skill under false assumptions, enabling broader API access than intended.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script exposes a file-download capability in a skill whose declared purpose is cancel-order operations. Even though the wrapper itself is small, adding an out-of-scope downloader increases the attack surface and may enable unauthorized retrieval of files or data through the LinkFox/Temu gateway if invoked with attacker-controlled URLs or tokens. The mismatch between manifest intent and implemented capability makes this especially suspicious because users and reviewers would not expect download behavior here.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring explicitly advertises US file-download behavior, which contradicts the skill's documented cancel-order purpose. That inconsistency is dangerous because it signals hidden or undeclared functionality, making misuse and security review gaps more likely; in an agent setting, undocumented capabilities can be triggered in contexts where users only consented to order-cancellation actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text matches broad phrases such as Temu US cancel order, buyer cancel, seller cancel, applySn, and order-shipping without clear activation boundaries. Overbroad triggering can cause the skill to activate in loosely related conversations and collect or transmit order identifiers and tokens to external services when the user did not intend to use this specific gateway-backed capability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly routes requests to an external LinkFox gateway and uses access tokens/store keys, yet it does not prominently warn that order data and authorization material may be transmitted to a third party. In a commerce context, that omission is risky because users may disclose sensitive operational data without understanding the external trust boundary or retention implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly recommends storing a Temu access token locally in a JSON file and provides copy-paste workflows for saving it, but it does not warn that the token is a sensitive credential or describe protections such as restrictive file permissions, encryption, secret-manager use, rotation, or avoiding inclusion in logs/backups. If a local machine is compromised, shared, backed up insecurely, or the token file is accidentally exposed, an attacker could reuse the token to access Temu business APIs through the described workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation exposes an order-cancellation approval action that changes business state and is described as part of a typical workflow, but it provides no explicit confirmation, authorization, or user-consent safeguards before performing the irreversible action. In an agent setting, that omission can cause unintended cancellations if the model maps a vague request to this endpoint or proceeds without a final user check.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation describes an order-cancellation action that can alter order state and submit the request to Temu risk control, but it does not explicitly warn operators that invoking the API has real-world transactional consequences. In an agent skill context, missing a clear confirmation/warning increases the chance of unintended cancellations or misuse, especially because the examples are directly runnable and framed as a normal workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it to a local store, but provides no safeguards for secret handling, storage protection, masking, rotation, or scope minimization. In a skill that brokers order-cancellation and after-sales actions, compromise of this token could allow unauthorized access to sensitive merchant operations and order workflows, making the omission materially dangerous in context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly tells users to copy and save an access token but does not present it as a secret credential or warn against exposing it in logs, chat, screenshots, or source files. In this skill context, the token appears to authorize API access to seller/order operations, so mishandling it could enable unauthorized access or account actions if the token is leaked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in plaintext JSON on the local filesystem and does not set restrictive file permissions or use a secure credential store. If another local user, process, backup system, or malware can read the file, the tokens can be stolen and used to access partner APIs as the associated store.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script prints the raw access token to stdout in JSON, which can expose credentials through logs, agent transcripts, shell history capture, pipeline output, or downstream tool observation. In an agent environment, stdout is often visible to other components or users, making secret exfiltration especially likely and turning a local helper into a credential-leak mechanism.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script explicitly asks operators to pass an access token on the command line and emphasizes saving it for reuse, but it does not warn that the credential will be stored persistently. This is dangerous because command-line arguments may be exposed via shell history or process inspection, and users may unknowingly leave a reusable credential both in local storage and in system artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage instructions tell users to pass the Temu access token on the command line, which commonly exposes secrets via shell history, process listings, logging, and telemetry. In an agent or multi-user environment, this increases the chance of credential leakage and subsequent unauthorized API use.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal