ClawHub

Temu Manage Product US

Security checks across malware telemetry and agentic risk

Overview

This Temu product-management skill is not clearly malicious, but it stores and exposes sensitive seller tokens and can make high-impact catalog changes with too little scoping or safety control.

Install only if you are comfortable granting this skill access to Temu seller tokens and authority to change or delete product catalog data. Avoid storing tokens with this package unless you can protect the local token file, do not print or paste raw tokens into chats or logs, and manually confirm every delete, full update, inventory, or sale-status action before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions even though its documented capabilities require environment-variable access, local token storage, and outbound network requests. This undermines informed consent and security review because operators cannot accurately see that the skill can read secrets, persist credentials, and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a bounded US product-management integration, but it also includes generic proxy/file-download tooling, token validation, and local token persistence outside that stated scope. This mismatch is dangerous because reviewers or users may grant trust for limited product actions while the skill can handle broader credential and network operations that expand the attack surface.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The relationship table states this skill covers '查、改、删、库存、价格、合规', but the skill metadata explicitly routes price/supply-price actions to a different skill (`linkfox-temu-price-us`). This inconsistency can misroute pricing operations through the wrong skill or proxy path, increasing the chance of unauthorized or unintended price changes in a high-impact commerce workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script retrieves a stored Temu access token and prints the raw credential to stdout, making it easy for downstream tools, logs, transcripts, or other agents to capture and reuse it. In the context of a product-management skill, exposing bearer tokens is especially dangerous because the token can enable broad API actions such as inventory changes, product edits, or deletions beyond the user’s immediate intent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This helper script enumerates locally stored Temu access tokens and can print them to stdout, which creates a direct secret-disclosure path unrelated to normal product-management operations. The risk is amplified because the script supports disabling masking via user input, making full token exposure trivial for anyone with local execution access or access to logs, terminal history, or captured command output.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script stores arbitrary Temu access tokens in a reusable local store and its documented parameters support multiple sites and management types, which is broader than the declared US Manage Product skill scope. This kind of generic credential-handling utility increases the chance of cross-scope token reuse, accidental misuse in other workflows, and retention of sensitive credentials beyond the minimum necessary boundary for the skill.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises destructive operations such as product deletion, full updates, stock changes, and sale-status changes without any warning, confirmation, or safety guidance. In an automation context, this increases the likelihood of accidental destructive actions or abuse through prompting because high-impact business operations are exposed as routine commands.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document recommends storing long-lived Temu access tokens in a local JSON file but does not warn users to protect that file with restrictive permissions, encryption, or secret-management controls. If the file is readable by other local users, included in backups, synced to cloud folders, or accidentally committed, an attacker could reuse the token to access or manipulate Temu business APIs for the associated store.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documented workflow includes state-changing operations such as product updates, stock edits, and sale status changes, but provides no warning that these actions can materially alter merchant catalog data. In an agent setting, lack of explicit confirmation and risk guidance increases the chance of accidental destructive or business-impacting actions, especially for delete, inventory, and publish/unpublish operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally persist it to a local store, but it provides no warning that the token is a sensitive credential or guidance for secure handling. In the context of a product-management skill that can delete products, edit inventory, and change listing state, insecure token handling could enable unauthorized API access and damaging account actions if the token is exposed through logs, screenshots, shared devices, or local storage compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists Temu access tokens in plaintext JSON on the local filesystem and does not set restrictive file permissions or use an OS-backed secret store. If the host is multi-user, backed up broadly, or compromised by other local processes, these tokens can be read and reused to manage products, inventory, and listing state for connected stores.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Printing the access token without warning or safeguards can leak credentials into shell history, CI logs, agent transcripts, error reports, and other monitoring systems. Because this skill is for Temu product management, any leaked token may permit unauthorized modification of listings, inventory, compliance data, or product lifecycle operations, making the context more dangerous rather than less.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script accepts JSON input with {"mask": false} and then outputs stored access tokens in cleartext without any confirmation prompt, warning, or access-control check. Cleartext secret disclosure is dangerous because tokens can be reused to access Partner/Temu APIs, and the exposure may persist in shell history, CI logs, screenshots, or support artifacts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal