ClawHub

Temu Fulfillment Global

Security checks across malware telemetry and agentic risk

Overview

This Temu fulfillment skill is mostly a real API integration, but it handles powerful store credentials and live shipping actions with weak scoping and plaintext local token storage.

Review before installing. Only use this skill with a Temu/LinkFox account where you are comfortable allowing an agent to create shipments, confirm fulfillment, cancel pickups, and call generic Temu API types. Avoid saving tokens in plaintext on shared or synced machines; if you do save them, restrict file access and rotate tokens if they are printed, logged, or pasted into transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises executable capabilities involving environment access, file writing, and network access but does not declare permissions. This weakens security review and runtime trust boundaries because operators and users cannot accurately assess what the skill can access, and hidden capability expansion can enable token exposure, unintended outbound requests, or local persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as a narrowly scoped Temu Global fulfillment bundle, but the detected behavior includes generic proxying, generic file download, token guide generation, local token storage/listing, and token validation utilities. This scope mismatch is dangerous because it creates a confused-deputy risk: a user or reviewer may trust the skill for fulfillment only, while it can perform broader API actions, handle secrets, and persist sensitive credentials outside the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script's documented purpose is to retrieve and print a Temu access token from local storage, which expands the skill from fulfillment operations into credential extraction. In a skill advertised as a fulfillment/shipping integration, including a general token retrieval utility increases the attack surface and enables downstream misuse of stored credentials outside the stated business function.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
When a token is found, the script emits the raw accessToken in JSON to stdout, making credential disclosure a built-in feature. Any caller, log collector, transcript, shell history, or chaining agent that invokes this utility can capture a reusable secret and use it to access Temu APIs beyond the immediate fulfillment action.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script explicitly accepts and persists generic Temu access tokens for purposes such as proxy/fileDownload and product-inventory, which is broader than the fulfillment-global skill's declared shipping scope. This kind of scope mismatch increases the chance that operators store high-privilege tokens unrelated to the advertised function, enabling unintended reuse or abuse if the local token store is accessed by other components or compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file provides a dedicated mechanism to save access tokens to persistent local storage, creating a durable secret repository on disk. Persistent storage of bearer tokens materially increases exposure because any local compromise, accidental backup, log leakage, or cross-skill access can turn a temporary credential into a reusable long-term secret.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document recommends storing a live Temu access token in a local JSON file under the user's home directory and provides copy-paste examples for doing so, but it does not clearly warn about file-permission hardening, disk encryption, malware exposure, backups, or multi-user host risks. Because this token authorizes business API actions for shipping and fulfillment, compromise of the local file could enable unauthorized access to store operations and sensitive order/logistics data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes state-changing fulfillment operations such as shipment creation, pickup reservation, cancellation, and shipped-package confirmation without explicit user-facing warnings that these actions can purchase labels, alter fulfillment state, trigger warehouse workflows, or cancel logistics actions. In an agent setting, missing impact warnings increases the risk of accidental high-consequence actions being invoked based on ambiguous prompts or insufficient confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference explicitly shows API keys and access tokens in headers, body fields, and shell examples without warning users not to paste, share, or log real credentials. In chat- and agent-mediated workflows, this materially raises the chance of secret exposure through transcripts, logs, screenshots, or prompt injection into downstream tools.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly instructs users to submit highly sensitive third-party authorization material such as `cwAccessToken`, optional `cwAppKey`, and `cwCustomerCode`, but it does not warn that these values are secrets, should not be logged, should be redacted from examples, and must be stored/transmitted securely. In an agent or automation context, this omission increases the likelihood that credentials will be pasted into chats, retained in logs, or exposed through debugging and telemetry, enabling unauthorized use of the cooperative warehouse integration.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation shows commands that pass `LINKFOXAGENT_API_KEY` and `accessToken` directly in shell examples without any accompanying warning that these are sensitive secrets. While placeholder values are used, readers may copy the pattern into real terminals, shell histories, logs, CI output, or screenshots, which can lead to credential exposure and unauthorized API use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation describes a live shipment-purchase/order-creation API that can create package numbers and, depending on parameters such as shipLater=false and later workflow steps, advance real fulfillment state, but it does not prominently warn operators that calls have real-world effects. In an agent-skill context, missing transactional warnings increases the chance of accidental package creation, billing, or shipment-state changes from misunderstood prompts or automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation describes an action that transitions orders from pending shipment to shipped and can also reject cancellation or address-change requests, but it does not prominently warn that these are business-state-changing operations with potentially irreversible consequences. In an agent skill context, missing guardrails can lead an automated system or operator to invoke the API without explicit user confirmation, causing unauthorized fulfillment, customer-impacting decisions, and operational loss.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The examples repeatedly show an `accessToken` placeholder being passed on the command line and in JSON payloads without any warning that this value is a secret. In real usage, users often replace placeholders with live tokens, and command-line arguments can leak via shell history, process listings, logs, screenshots, or copied transcripts, making credential exposure more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation exposes a state-changing cancellation API but does not explicitly warn that invoking it will cancel an existing pickup reservation and may disrupt shipment fulfillment if used accidentally or with the wrong reservationSn. In an agent skill context, ambiguous or warning-free destructive operations are risky because an LLM or user may trigger them unintentionally from natural-language requests, leading to operational harm even without a traditional code exploit.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it to a local store, but it does not warn that the token is a sensitive credential equivalent to API authorization. In this skill context, that omission is meaningful because the token enables fulfillment and shipping operations; insecure handling or local persistence could lead to unauthorized API access, shipment manipulation, or account abuse if the host is compromised or logs/store contents are exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The catalog explicitly advertises operationally sensitive actions such as shipment creation, shipment updates, shipped-package confirmation, pickup reservation creation/cancelation, warehouse fulfillment submission/cancelation, and shipping-type updates, but provides no warning that these actions can trigger real-world logistics events that may be costly, irreversible, or difficult to unwind. In an agent context, this increases the risk that a model will invoke state-changing fulfillment APIs from ambiguous or insufficiently confirmed user requests, causing erroneous shipments, cancelations, or confirmations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly instructs users to copy an access token and save it for later API use, but it does not warn that the token is a sensitive credential that must be protected from logs, chat transcripts, screenshots, or source control. In an agent-skill context, omission of that warning increases the chance operators will paste or persist live tokens insecurely, which could enable unauthorized access to Temu seller APIs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists Temu access tokens to a local JSON file in plaintext and does not set restrictive file permissions or use an OS-backed secret store. If the host is multi-user, backed up, synced, or otherwise accessible, these credentials can be recovered and used to access seller APIs; the skill context makes this more sensitive because these are real fulfillment/authentication tokens for e-commerce operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script outputs sensitive credentials with no warning, confirmation, masking, or safeguard, which makes accidental disclosure highly likely in normal operation. In an agent-skill context, stdout is often surfaced to orchestration layers, traces, and users, so an unguarded secret print materially increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script enumerates locally stored Temu access tokens and can print them with masking disabled via the user-controlled `{"mask": false}` parameter. Even though it does not automatically exfiltrate secrets, a utility whose purpose is to reveal credential material increases the chance of accidental disclosure through terminal logs, screenshots, shell history, or downstream tooling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The utility asks the user to paste an access token and saves it locally, but the visible interface and usage text do not clearly warn that the token will be persisted. In a skill ecosystem, that omission is risky because users may assume one-time transient use and unintentionally leave sensitive credentials stored on disk for later discovery or misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal