ClawHub

Temu Order Global

Security checks across malware telemetry and agentic risk

Overview

This Temu order skill mostly matches its stated purpose, but it includes overly broad proxy and credential-handling helpers that need review before installation.

Install only if you trust LinkFox and need Temu Global order automation. Avoid using the generic proxy for non-order APIs, do not use unmasked token listing, prefer a secure secret manager over the plaintext local token store, and treat customer shipping data, customization files, IMEI/serial values, and Temu tokens as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script retrieves a stored Temu access token and emits the raw credential in JSON to stdout. In an agent/skill environment, stdout is commonly captured by logs, orchestration layers, or upstream tools, so this creates a direct secret-exposure path that can enable unauthorized API access far beyond the stated order-management wrapper behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script enumerates locally stored Temu access tokens and can optionally print them unmasked via user-controlled input. Even if intended for debugging, exposing credential inventory is outside the stated order-management purpose and increases the risk of credential disclosure, lateral movement, and misuse of marketplace APIs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file's primary behavior is to reveal locally saved access-token information rather than perform the manifest-declared Temu order API actions. This mismatch is dangerous because it introduces credential-discovery functionality into a skill that users would reasonably expect to handle orders, creating an unnecessary path to expose sensitive authentication material.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script exposes a generic signed-file download capability that is not reflected in the skill metadata, which describes only Temu Global order-management APIs. Hidden or undeclared capability increases the attack surface and can be abused to retrieve arbitrary signed resources if a caller can supply a URL and token, especially because the helper forwards credentials to a backend API without additional scope checks in this file.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring and examples reference the US site even though the skill is described as Global non-US/EU. This mismatch can cause operators or downstream automation to invoke the script against the wrong regional environment, potentially mixing credentials, data, or policy boundaries across sites.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script is implemented as a generic Temu proxy and forwards arbitrary request bodies to a shared proxy endpoint, while the skill metadata claims it is limited to a small set of order-management APIs. That mismatch creates a capability-expansion vulnerability: a caller can use this skill to reach non-order Temu APIs, bypassing the intended least-privilege boundary and any policy controls that rely on the manifest description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code accepts any user-supplied value in the "type" field and inserts it directly into the proxied request without restricting it to the skill's declared order endpoints. In this skill context, that makes the issue more dangerous because users and orchestrators may trust the skill as order-only, yet it can be repurposed to invoke unrelated Temu operations, potentially exposing broader business functions or sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document recommends storing Temu access tokens locally in a predictable file path and demonstrates workflows that persist the raw token, but it does not warn that the token is a sensitive credential or describe risks such as local compromise, backup leakage, shared-account exposure, or accidental inclusion in logs and shell history. In the context of an order-management skill, these tokens likely grant access to business APIs for orders and shipping, so theft could enable unauthorized data access or actions against the merchant account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly advertises an endpoint for retrieving decrypted shipping information, which likely includes personally identifiable information such as recipient names, addresses, and contact details, but it does not pair that capability with clear privacy handling, least-privilege, or authorization warnings. In an order-management skill this access may be operationally legitimate, but documenting sensitive-data decryption as a normal workflow without guardrails increases the chance of over-collection, misuse, or accidental disclosure by downstream users or agents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly describes a workflow that takes order-group data and then uses shipping-info/decryption APIs to obtain customer address details, but it provides no warning, access-control guidance, or data-minimization constraints for handling that sensitive order information. In an order-management skill, this omission can normalize broad retrieval of customer-linked identifiers and addresses, increasing the risk of privacy violations, over-collection, or misuse by downstream agents or users.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation enables bulk retrieval of customized order content, including customer-provided text, uploaded images, preview assets, and downloadable SVG/compressed files, but does not warn that these materials may contain personal or sensitive user data. In an order-shipping context, this omission increases the chance that downstream agents or operators will over-collect, expose, or mishandle customer customization content and temporary file URLs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly exposes an API that returns highly sensitive personal data, including full name, phone numbers, email, and complete shipping address, but provides no privacy warning, access-limitation guidance, masking requirements, logging restrictions, or data-minimization instructions. In an agent skill context, this increases the chance that downstream agents or users will retrieve, display, store, or transmit customer PII more broadly than necessary, creating privacy, compliance, and unauthorized-disclosure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly instructs users to upload highly sensitive identifiers such as IMEI numbers, serial numbers, order numbers, and second-hand authentication certificate codes, but it provides no warning about their sensitivity, retention, masking, or safe handling. In an agent skill context, this increases the chance that operators or downstream tooling will log, echo, or mishandle these identifiers, which can expose device-linked data and order-linked information beyond the minimum necessary audience.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to copy a Temu access_token from the seller backend and optionally save it locally, but it does not warn that the token is a sensitive credential equivalent to API authorization. This increases the chance of accidental disclosure through clipboard history, shell history, logs, screenshots, or insecure local storage, which could enable unauthorized order and shipping operations for the referenced store.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists Temu access tokens in plaintext JSON on disk without setting restrictive file permissions or using a secure secret store. If the local machine, home directory, backups, or shared environment are accessible to other users or processes, these tokens can be stolen and used to access order-management APIs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Printing the retrieved access token to stdout exposes a live secret to any caller, wrapper, transcript, or log sink that observes command output. Because this skill operates in an API-agent context, that exposure is more dangerous than in a purely local admin script: the token may be surfaced to users or other components and then reused to access or manipulate Temu data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists an access token locally via save_token without any visible warning, confirmation, or indication of storage protections. In a credential-handling utility, silent local persistence increases the risk of accidental long-term storage, token reuse by other local processes, and leakage through backups or weak filesystem permissions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal