ClawHub

Temu Order EU

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it grants broad Temu API and credential-handling capabilities beyond a tightly scoped EU order workflow.

Install only if you trust LinkFox and need Temu EU order operations. Treat this as a high-trust business-data skill: use least-privilege Temu tokens, avoid saving tokens locally unless necessary, protect or relocate the token store, do not use unmasked token output, and restrict use of decrypted shipping data, customization downloads, and SN/IMEI uploads to authorized fulfillment needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable scripts that use environment variables, local token storage, file writes, and outbound network access, but it does not declare permissions or clearly constrain those capabilities. This creates an integrity and review gap: operators may approve an apparently narrow order-management skill while it can also persist secrets locally and call remote services, increasing the risk of unnoticed data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a specific EU order-management integration, but the skill also exposes generic Temu proxying across multiple sites, signed file download, token validation, and local credential persistence. This mismatch is dangerous because reviewers and users may trust the skill with EU order data while it actually provides broader API reach and credential-handling functionality that can be repurposed for unintended access or exfiltration.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This script exposes a local capability to enumerate stored Temu access tokens, and it even supports disabling masking via a user-controlled parameter. That behavior is not necessary for the stated EU order-management functions and increases the risk of credential discovery, misuse, and follow-on unauthorized API access if the script is invoked by an operator, another tool, or an attacker with local access.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The script persists an access token to a local store for later reuse, which creates a credential-retention surface beyond the immediate order action. In an agent-skill context, persistent storage of bearer tokens increases the blast radius of host compromise, accidental reuse across contexts, and unintended access if the token store is not strongly protected.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module is documented and exemplified as a generic Temu API proxy, which materially exceeds the skill’s declared purpose of EU order-management operations. In an agent setting, this scope mismatch can enable users or upstream prompts to invoke unrelated Temu capabilities through the same gateway, undermining least-privilege expectations and increasing the chance of unauthorized or unsafe API use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code accepts an arbitrary user-supplied `type` and forwards it to the Temu proxy without restricting it to order-management endpoints. This effectively turns the skill into a generic API forwarder, allowing invocation of unrelated or more sensitive Temu functions than the skill advertises, which is especially dangerous in an agent environment where tool scope is relied upon for security boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Although the skill is described as handling Temu EU orders, the request builder only calls a generic site validator and does not constrain `site` to `eu`. This permits non-EU usage through a skill that users and orchestrators would reasonably assume is EU-scoped, creating cross-region scope bypass and possible unauthorized access to other regional APIs or data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly supports retrieving and decrypting shipping information, which likely includes personally identifiable address data, but it provides no privacy warning, access-control guidance, or minimization requirements. In an order-management context this may be operationally legitimate, yet exposing decryption as a routine example without safeguards increases the chance of unnecessary access to sensitive customer data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly recommends storing Temu access tokens locally in a JSON file and shows example commands that paste raw tokens into command-line arguments, but it does not warn about filesystem permissions, shell history exposure, encryption, or secure secret storage. Because these tokens authorize order and shipping operations for Temu shops, leakage could enable unauthorized access to sensitive order data or abuse of business APIs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly advertises an endpoint for retrieving decrypted shipping information, which is highly sensitive personal data, but it does not provide clear restrictions, justification requirements, masking guidance, retention limits, or operator warnings. In an agent skill context, this omission increases the chance that downstream agents or users will request, expose, log, or misuse full recipient PII beyond what is necessary for order fulfillment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation exposes a workflow for retrieving customized order content, including customer-provided text, images, and downloadable SVG/compressed assets, but it does not warn that these materials may contain sensitive personal or proprietary data. It also instructs callers to send authorization-bearing TOA headers to a returned `compressedFileUrl`, which increases the risk of credential leakage or unsafe header forwarding if the URL is not tightly validated as an expected Temu-controlled host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This document explicitly describes an API that returns full shipping-address PII, including recipient name, phone numbers, email, postal code, and detailed address fields, but provides no privacy guidance, access-control expectations, masking requirements, logging cautions, or handling restrictions. In an agent skill context, that omission is risky because downstream agents or integrators may retrieve, display, store, or echo this sensitive data without minimization, increasing the chance of unauthorized disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation explicitly instructs users to upload sensitive device identifiers such as SN and IMEI, which are regulated or privacy-sensitive data elements, but it provides no warning about lawful basis, minimization, storage, masking, retention, or log-handling. In an order-shipping integration this may be business-required, but the absence of handling guidance increases the risk of accidental overcollection, exposure in logs, or improper processing of customer/device-linked identifiers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and optionally save it locally, but provides no guidance on secure handling, storage, masking, rotation, or least-privilege use. Because this skill is specifically about order management APIs for Temu EU stores, mishandled tokens could expose order data, addresses, and operational capabilities such as shipment-related actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The catalog explicitly documents a `bg.order.decryptshippinginfo.get` capability, which implies access to decrypted recipient shipping data, but provides no warning that this endpoint handles highly sensitive personal information. In an order-management skill, that omission increases the chance that downstream agents or operators will invoke the decryption path without appropriate necessity checks, masking, audit controls, or least-privilege handling of EU customer PII.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints a live access token directly to stdout in JSON, which can expose credentials to shell history, logs, agent transcripts, CI output, or downstream tools that capture command output. In an agent skill context, this is more dangerous because the token may be surfaced back to users or other components and then reused to access Temu order APIs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal