ClawHub

Temu Price Global

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a Temu pricing helper, but it also exposes broad proxy, file-download, and plaintext token-management capabilities that deserve review before installation.

Install only if you intentionally want a broad LinkFox/Temu operations helper, not just a narrow Global pricing wrapper. Use least-privilege Temu tokens, avoid saving raw tokens locally when possible, do not run the unmasked token-listing or raw token retrieval helpers in logged environments, and require a manual review/confirmation step before any batch SKU price change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, yet its documentation clearly indicates access to environment secrets, local file writes for token persistence, and outbound network calls to LinkFox/Temu gateways. This creates a hidden capability surface that can expose credentials or perform actions users and reviewers did not explicitly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest presents the skill as a narrow global pricing wrapper, but the content exposes a generic Temu proxy, signed file download, token validation, token management, and multi-site support. That mismatch is dangerous because users may invoke the skill under the assumption of limited scope while it can access broader APIs and credential-handling flows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation claims only five price-related interfaces are exposed, yet it also advertises a generic proxy and signed file-download capability. This broadens the operational surface beyond what a consumer of the skill would reasonably expect, enabling access to additional APIs or sensitive exports through the same trust boundary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Although the skill is framed as a pricing API wrapper, it includes local token storage, retrieval, and listing utilities that are unrelated to simple price queries or updates. Credential management inside a business-action skill increases the risk of token leakage, reuse, or abuse if the local environment is shared or compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Persisting Temu access tokens locally is a real security issue because these credentials can likely authorize pricing and related seller operations if read by another process or user on the host. The skill's stated purpose does not require durable local credential storage, so this materially increases credential theft and unauthorized action risk without clear necessity.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script retrieves a stored Temu access token and returns it verbatim in JSON, which directly exposes a reusable credential to any caller able to invoke the script or capture its output. In the context of a pricing skill, raw token disclosure is broader than necessary and increases the chance of credential theft, logging leakage, or reuse across unrelated actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script exposes a capability to enumerate locally saved Temu access tokens, and it even supports disabling masking via a user-controlled parameter. That behavior is not required for a price/supply-price API skill and increases the risk of credential discovery, lateral movement, and misuse of authenticated Temu APIs if the script is invoked by an attacker or an over-privileged agent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script adds a signed file download capability to a skill whose declared purpose is Temu Global pricing and supply-price operations. Scope mismatch is dangerous because it expands the agent’s reachable actions beyond user-expected pricing APIs into arbitrary resource retrieval through Temu’s fileDownload endpoint, increasing the chance of data exfiltration, unauthorized access to signed resources, or misuse of privileged tokens.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The module documentation advertises US-site usage even though the skill metadata states Global-only pricing scope by default. This inconsistency can mislead integrators or routing logic into invoking the script for out-of-scope regions, weakening policy boundaries and making the broader file-download capability harder to detect or govern.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script exposes a file download operation through global_file_download_call even though the skill manifest describes only pricing and supply-price APIs. That scope mismatch is dangerous because it creates hidden capability beyond user and platform expectations, potentially enabling retrieval of arbitrary remote files or sensitive exports if an access token is provided and the gateway permits it.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script is a generic Temu API proxy: it accepts an arbitrary "type" value and forwards caller-supplied parameters and access tokens to the backend, rather than restricting requests to the five price-related Global APIs described in the skill manifest. In an agent setting, this creates a scope-expansion vulnerability where the skill can be used to invoke unintended Temu operations outside its declared permissions, undermining least privilege and user expectations.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The skill metadata says this skill is for Temu Global pricing, but the code accepts any validated site value from user input instead of pinning requests to global. That mismatch allows cross-site use through a skill that appears narrower than it really is, which can route operations to unintended regional contexts and bypass policy or user consent assumptions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents a bulk SKU price-change operation without an explicit warning, confirmation step, or discussion of business impact. In this context, silent or poorly signposted price modification is risky because mistaken execution can alter live catalog pricing at scale and cause financial or operational damage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly recommends persisting a live Temu access token in a local JSON file and provides a workflow that normalizes storing credentials on disk. Even though this may be operationally convenient, there is no accompanying guidance about file permissions, encryption, secret manager usage, shell history exposure, or risks from multi-user machines and endpoint compromise, so it meaningfully increases the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation exposes a batch SKU base-price modification capability that can directly alter commercial pricing at scale, but it does not include any explicit warning, confirmation requirement, or operator-safety guidance about the business impact of unintended execution. In an agent skill context, the absence of cautionary language increases the risk that an automated system or user will invoke a partially destructive action without understanding that it may change many SKUs, create price orders, or cause revenue loss and operational disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in a local JSON file in plaintext without setting restrictive file permissions or adding safeguards around secret storage. If the host is shared, backed up insecurely, or compromised by another local process, these credentials can be read and reused to access or modify Temu pricing and supply data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the access token to stdout makes the secret available to shell history, process capture, pipeline consumers, agent logs, and user-visible output channels. Because access tokens are bearer credentials, any party that obtains the output can potentially impersonate the store and perform unauthorized API operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accepts a sensitive access token on the command line and saves it locally without any user-facing warning or visible safeguards. Command-line arguments can be exposed through shell history, process listings, logs, and local storage, so a token intended for API access could be recovered by other local users or support tooling and then abused to access Temu resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal