ClawHub

Temu Order US

Security checks across malware telemetry and agentic risk

Overview

This skill is for Temu order management, but it stores and exposes sensitive Temu tokens and includes broad proxy tools that can reach beyond the stated US order scope.

Install only if you trust LinkFox and the publisher with Temu seller credentials and customer order data. Use a least-privilege Temu token, avoid the generic proxy and file-download helpers unless required, do not print or paste raw access tokens into chats or logs, and store tokens in a protected secret manager rather than the default plaintext file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This script enumerates locally stored Temu access tokens and can optionally print them unmasked via user-controlled input. Access tokens are sensitive credentials; exposing them is not necessary for the stated order-management functionality and creates a clear path to account/API compromise if the script is run or accessed by an unauthorized party. In this skill context, the issue is more dangerous because the tokens likely grant direct access to Temu US order operations, including viewing and modifying order-related data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This helper script enables saving Temu access tokens locally for reuse in proxy and file-download flows, which extends beyond the stated order-management scope of the skill. Storing reusable bearer tokens increases the blast radius of compromise because anyone with access to the local store may be able to invoke broader Temu APIs than users would expect from an order-only skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements a generic Temu proxy that accepts arbitrary API `type` values and forwards caller-supplied parameters, which exceeds the declared skill purpose of Temu US order management. In an agent environment, this creates a capability-expansion flaw: users or prompts can invoke unrelated Temu APIs through the skill, bypassing intended scope restrictions and potentially reaching sensitive seller, product, or account operations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The request builder accepts arbitrary `site` and `type` values after only generic validation, allowing cross-site use and non-order API access that is not justified by the skill description. Because the manifest says this skill is for Temu US order workflows, permitting other sites or unrelated APIs broadens privilege and can expose or modify data outside the expected tenant and business function.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples and documentation cover decrypted shipping addresses plus SN/IMEI and verification uploads, which are privacy-sensitive and potentially regulated data categories, but there is no explicit warning, minimization guidance, or handling policy. In an order-management context, this creates a real risk of unnecessary collection, unsafe logging, accidental retention, or disclosure of personal and device-identifying information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document recommends saving Temu access tokens to a local file path and shows example commands that persist live credentials, but it does not warn that these are sensitive secrets or describe minimum protections such as file permissions, encryption, redaction, rotation, or exclusion from backups/logs. In a skill focused on order management APIs, these tokens can grant access to order, shipping, address, and verification workflows, so insecure local storage increases the risk of account compromise and exposure of customer or operational data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes authentication material (`LINKFOXAGENT_API_KEY`, `accessToken`, `storeKey`) and an API flow that can retrieve decrypted shipping information, but it does not include handling restrictions, redaction guidance, or an explicit warning that these fields expose sensitive credentials and personal data. In an agent skill context, such operational docs can directly shape tool behavior, so omission of safeguards increases the risk of unauthorized disclosure, over-collection, or accidental logging of tokens and PII.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow lists `bg.order.decryptshippinginfo.get` as a normal step and labels it as returning decrypted sensitive address data, but does not include any warning, approval requirement, or limitation on when that endpoint should be used. Because this skill is specifically for order operations, the omission is more dangerous: an agent or operator may treat full decrypted recipient data as routine output, leading to unnecessary exposure of customer PII.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This documentation explicitly describes an API that returns full recipient address and contact fields, including name, phone numbers, email, and detailed address components, but it does not include any privacy warning, access-control guidance, or data-minimization guidance. In an order-management skill, this increases the risk of inadvertent exposure, over-collection, or misuse of personally identifiable information by downstream users or agents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This document instructs users to upload highly sensitive device identifiers (SN/IMEI) and second-hand authentication codes, but it does not include any explicit privacy, data-classification, retention, masking, or lawful-use guidance. That omission increases the risk that operators or downstream tooling will mishandle regulated or sensitive identifiers in prompts, logs, examples, screenshots, or support workflows, causing unnecessary exposure of device-linked data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to manually copy a Temu access token and optionally save it to a local store, but it does not describe the token as a secret, warn against sharing or logging it, or define secure storage requirements. In the context of order management and shipping APIs, a leaked token could enable unauthorized access to order data, addresses, logistics actions, or other seller operations through the LinkFox proxy flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists Temu access tokens in plaintext JSON on local disk and returns the storage path, but it does not set restrictive file permissions, encrypt the secret, or provide any warning about the sensitivity of the credential. On multi-user systems, backups, logs, or accidental file sharing could expose long-lived partner API tokens and allow unauthorized order access or operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file download helper forwards both an access token and a user-supplied URL to a backend download service without any visible validation or allowlisting of the URL. If the downstream service fetches that URL server-side, this can enable SSRF or fetching attacker-controlled resources using an authenticated backend path, which is more dangerous in an order-management skill that handles sensitive operational data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script prints the retrieved access token in cleartext to stdout, which can expose credentials to terminal history, logs, orchestration layers, agent transcripts, or downstream tools. In an agent skill context, this is especially dangerous because secrets may be surfaced to users or captured by monitoring systems, enabling unauthorized API access with the store's privileges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal