ClawHub

Temu Manage Product Global

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Temu product-management gateway, but it can change live listings and handles reusable Temu tokens in ways that need careful review.

Install only if you intend to let this skill manage real Temu Global product data through LinkFox. Protect LINKFOXAGENT_API_KEY and Temu accessToken like passwords, avoid printing or pasting raw tokens, restrict or replace the plaintext token store, and require human confirmation before stock changes, full updates, sale-status changes, compliance edits, or deletions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes capabilities that use environment secrets, local file writes, and outbound network access, but it does not declare permissions or scope these capabilities. This matters because the skill also handles Temu access tokens and gateway API keys, so undeclared file and network access can enable secret storage and transmission without clear operator review or sandbox enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a bounded global product-management integration, but the documented scripts include generic proxying, signed file download, token validation, and local token storage/retrieval features outside that narrow purpose. Hidden or under-disclosed capabilities are dangerous because they expand the attack surface, can be repurposed to reach unintended APIs, and allow sensitive credential handling and data movement beyond what a user would reasonably expect from the skill description.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document states this API belongs to `manage-product-us` even though the skill metadata and file path indicate a global/non-US scope. This kind of scope confusion can cause an agent to route requests to the wrong skill or apply the wrong regional assumptions, leading to unauthorized operations, incorrect data handling, or policy bypass across market boundaries.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This utility persists a reusable Temu access token in a local store, creating a credential-at-rest risk that expands the blast radius beyond the immediate API call. In the context of a product-management skill, long-lived local token caching is not clearly necessary and can enable later unauthorized product changes if the host, logs, backups, or token store are accessed by another process or user.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script exposes a signed file download capability through /temu/fileDownload even though the skill is described as a Global Manage Product skill. This scope mismatch can cause the agent to invoke an unrelated data-access operation, increasing the chance of unauthorized file retrieval or misuse of signed URLs beyond the intended product-management boundary.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module documentation advertises a general signed-file download utility and even provides a site='us' example, which conflicts with the skill metadata stating this skill is for Temu Global Manage Product and not US/EU flows. Such contradictory documentation is dangerous because agents and operators may invoke the script in unintended contexts, bypassing separation between regional skills and expanding access beyond the declared trust boundary.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill exposes destructive actions such as stock edits, partial/full goods updates, deletion, compliance edits, and sale-status changes without any explicit warning or confirmation guidance about modifying live commerce data. In this context, accidental invocation could immediately alter inventory, listings, or availability for real products on the global storefront, causing business disruption even without malicious intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document recommends storing a Temu access token locally and even shows a command that includes the raw token value, but it does not clearly warn that this token is a sensitive credential equivalent to API authorization. If the local token store, shell history, logs, backups, or workstation are compromised, an attacker could reuse the token to access or modify Temu business data through the proxy/API workflows described by the skill.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This documentation exposes a high-impact inventory mutation API, including full stock overwrite and decrement operations, without any warning, guardrails, or operator confirmation guidance. In an agent skill context, that omission increases the risk of accidental or unauthorized stock changes at scale, which can cause product delisting, overselling, or business disruption even if the API itself is legitimate.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation describes a full-product update API where `skuList` must be complete and advises fetching details first, but it does not clearly warn that omitted fields in a full update may overwrite or clear existing product data. In a product-management skill, that omission can easily lead an agent or operator to submit partial payloads to a destructive endpoint, causing unintended loss or corruption of listings, media, attributes, or SKU configuration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation exposes a destructive product-deletion capability but does not include any warning, confirmation requirement, or usage guardrails. In an agent skill context, that omission increases the chance that an LLM or operator could invoke deletion from an ambiguous or mistaken request, causing irreversible catalog loss or business disruption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs users to copy a Temu access token from the seller backend and optionally save it locally, but it gives no warning about the token's sensitivity, storage requirements, or handling precautions. In this skill context, the token enables authenticated product-management actions through the proxy, so careless local storage increases the chance of credential leakage and unauthorized inventory or listing changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly tells users to copy and save an access token, but never labels it as a secret or warns against insecure storage, logging, or sharing. In an auth guide for production API access, this omission can lead to credential leakage and unauthorized access to seller accounts and product-management APIs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Multiple workflow steps instruct the user to copy an access token across several shop modes, but omit any security guidance on safe handling. Because this skill is specifically about obtaining and using API credentials for commerce operations, users are likely to operationalize these instructions directly, increasing the chance of token disclosure through plaintext storage, support channels, or automation logs.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The guide notes that an IP whitelist must be configured before using the gateway, but does not explain that whitelisting expands network trust and should be restricted to approved egress IPs only. While less severe than token-handling issues, this omission can cause users to over-broaden allowlists or misunderstand the security boundary protecting the gateway.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the retrieved Temu access token directly to stdout in JSON, which can expose credentials to shell history, terminal scrollback, logs, calling processes, or agent transcripts. In an agent skill context, returning secrets as normal output is especially risky because downstream tools or LLM orchestration layers may capture and reuse that output beyond the intended boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script supports an input option of {"mask": false}, which causes locally stored Temu access tokens to be printed in cleartext to standard output. Even though this appears intended for local administration, exposing bearer tokens without any confirmation, warning, or access control increases the chance of accidental credential disclosure via terminal logs, shell history, screenshots, or upstream agent output handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script takes an access token from the command line and saves it for reuse without any explicit warning that the credential will be persisted. This can surprise users and lead to credential exposure through shell history, process inspection, or unnoticed long-term storage, which is especially sensitive because the token can be reused to manage products and inventory.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal