ClawHub

Temu Promotion Global

Security checks across malware telemetry and agentic risk

Overview

This Temu promotion skill is mostly transparent about its commerce API purpose, but it includes broad Temu proxy/file-download tools and plaintext token handling that deserve review before installation.

Install only if you trust the publisher and are comfortable sending Temu API requests through the LinkFox gateway. Treat Temu access tokens as passwords: avoid pasting them into logs or shared chats, do not use the unmasked token listing except for controlled local debugging, restrict permissions on the token store, and confirm any operation that enrolls, updates, or deactivates promotion goods.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This script enumerates locally stored Temu access tokens, which is unrelated to the stated promotion-API purpose of the skill and exposes sensitive credential material through a convenience utility. Even though tokens are masked by default, the `mask: false` option explicitly enables full token disclosure, creating a straightforward path for credential leakage, misuse, or lateral movement by anyone with local execution access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script exposes a generic signed-file download capability even though the skill manifest describes a promotion-focused API surface. Scope expansion like this is dangerous because it can enable retrieval of arbitrary Temu-signed resources, potentially including sensitive exports or internal files, and may bypass user and platform expectations about what the skill is allowed to do. In this context, the mismatch between declared purpose and implemented capability increases suspicion because users invoking a promotion skill would not reasonably expect a file-download primitive.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is implemented as a generic Temu API proxy: it accepts an arbitrary API 'type' and arbitrary 'params', then forwards them to the backend proxy. That exceeds the declared promotion-only scope of the skill and creates a scope-bypass primitive that could be used to invoke unrelated Temu capabilities, increasing the chance of unauthorized or unintended operations with a supplied access token.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation explicitly describes the script as a general Temu API proxy and its example uses a non-promotion endpoint, which reinforces that the implementation is broader than the skill's advertised purpose. This mismatch is dangerous because operators and downstream controls may trust the manifest's narrow scope while the code enables much wider API access.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger text uses broad natural-language phrases around promotion and product-inventory scenarios, which can cause the skill to activate in contexts where the user did not intend to invoke this specific integration. Unintended invocation is more concerning here because the skill has network and token-related capabilities that could operate on sensitive commerce data or credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill discloses gateway calls and token-related scripts, including saving access tokens locally, but does not provide an explicit warning that sensitive data may be transmitted to a third-party gateway or persisted on disk. In a commerce integration, lack of notice increases the risk of inadvertent credential exposure, unsafe local storage, and compliance/privacy issues.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages storing a Temu access token on disk in a predictable local file path, but it does not clearly warn that the token is a sensitive credential equivalent to API authorization. If that file is readable by other local users, accidentally committed, included in backups, or exposed through logs or malware, an attacker could reuse the token to access Temu business APIs and act on behalf of the seller account.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation includes an example that exports an API key and passes an access token on the command line without any warning about secret handling. In real environments, shell history, process listings, shared terminals, CI logs, or copied documentation snippets can expose these credentials, leading to unauthorized API access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes a destructive operation (`operateType=30` deactivates activity goods) without any explicit warning, confirmation requirement, or guidance to verify user intent before invoking it. In an agent skill context, this increases the risk of accidental or unauthorized disabling of promotional listings, which can disrupt active campaigns and cause business loss even if no code execution flaw exists.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to manually copy a Temu access token from the seller backend and optionally save it to a local store, but it provides no warning that the token is a sensitive credential or guidance on secure handling. In this skill context, that is a real security issue because the token appears sufficient to authorize downstream proxy/API calls, so mishandling could expose store data or allow unauthorized promotion-related actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly tells users to copy and save an access token, but it does not clearly warn that the token is a sensitive credential equivalent to account/API access. In an agent skill context, this increases the chance users will paste tokens into logs, chats, scripts, or insecure storage, enabling unauthorized API access if the token is exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists Temu access tokens in plaintext JSON on disk and does not set restrictive file permissions or use a secure secret store. If the host is multi-user, backed up, inspected by other local processes, or the path is redirected to an unsafe location, those tokens can be stolen and used to access seller APIs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints a live access token in plaintext to standard output, which can expose credentials through terminal history, logs, process capture, CI job output, or downstream tool chaining. In an agent skill context, this is especially risky because the token may be surfaced to the model, calling framework, or user-visible transcripts and then reused to access Temu partner APIs.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script explicitly accepts an access token from the command line and saves it to a local store, but provides no warning about the sensitivity of that secret or the risks of local persistence. In addition, passing secrets via CLI arguments can expose them through shell history, process listings, and logs, making accidental disclosure more likely in real deployments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal