ClawHub

Temu Promotion US

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Temu/LinkFox promotion integration, but it also exposes broad Temu API proxying and plaintext credential handling beyond the narrow US promotion purpose.

Review this carefully before installing. Use it only if you trust LinkFox and the publisher with Temu seller credentials, avoid saving access tokens unless necessary, do not pass secrets in shell history or shared logs, and prefer a narrowly scoped Temu token. Treat the generic proxy and file-download helpers as powerful account-level tools, not just promotion helpers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises built-in scripts that use environment variables, local token persistence, and outbound network access, but it does not declare permissions or capability boundaries. This creates hidden authority: a caller may invoke functionality that can contact external services and write sensitive Temu access tokens to disk without an explicit trust prompt or policy guard.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a narrow Temu US promotion integration, but the documented scripts include generic proxying of arbitrary API types, signed file download, token management on disk, and multi-site/non-promotion workflows. This scope expansion is dangerous because users and policy engines may trust the skill for a limited business function while it actually enables broader API access and credential operations that could be abused for unauthorized data access or unintended actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This promotion-scoped skill includes authorization guidance for broader Temu domains such as product-inventory and order-shipping, expanding the skill beyond its declared least-privilege scope. That can lead users to obtain and store tokens with permissions unrelated to promotions, increasing credential exposure and the blast radius if those tokens are mishandled or reused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script retrieves a Temu access token from local storage and returns the raw credential in JSON to stdout. In an agent skill context, emitting bearer tokens directly is dangerous because downstream tools, logs, transcripts, or untrusted callers can capture and reuse the token to access Temu APIs beyond the narrow promotion workflow described by the skill metadata.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script persists arbitrary Temu access tokens locally and accepts broad scope parameters such as non-US sites and non-promotion token purposes. In a skill declared for Temu US promotion APIs, this creates a scope mismatch that can enable collection, reuse, or accidental exposure of credentials for unrelated accounts or API domains, increasing the blast radius if the local store is accessed.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The embedded usage example explicitly advertises saving a CN semi-managed product-inventory token, which contradicts the skill's stated US promotion-only purpose. This mismatch is dangerous because it normalizes use of the skill as a generic credential sink for broader Temu operations, making operator misuse and unauthorized credential retention more likely.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script is a generic Temu API proxy: it accepts arbitrary API "type", forwards caller-supplied "params", and only validates site/managementType formatting before sending the request. That exceeds the skill's declared US promotion-only scope and can enable use of unrelated Temu APIs through this skill, undermining least privilege, scope-based routing, and any policy assumptions made by users or downstream systems.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring explicitly describes broad Temu API proxying and provides an example for a non-promotion goods category mapping API, which contradicts the skill's stated promotion-only purpose. This mismatch is dangerous because it signals and documents out-of-scope use, making misuse easier and increasing the chance operators or agent orchestration will route sensitive non-promotion actions through a skill that should not have them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly recommends saving Temu access tokens to a local file and even gives the default storage path, but it does not warn that these tokens are sensitive credentials equivalent to API authorization. If the file is stored with weak filesystem permissions, synced to cloud storage, committed to source control, or accessed by other local users/processes, an attacker could reuse the token to call Temu business APIs and act on the seller account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to transmit sensitive credentials through multiple channels, including HTTP headers, environment variables, and even a JSON request body, but provides no safety guidance on redaction, logging, storage, or transport handling. In an agent/tooling context, this increases the chance that API keys and access tokens are exposed in command history, debug logs, transcripts, telemetry, or downstream error messages, enabling unauthorized access to merchant promotion APIs.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to copy a Temu access token from the seller backend and notes that it may be written to a local store, but it provides no guidance on secure storage, masking, rotation, or least-privilege handling. Because this skill is specifically about authenticated promotion-management API access, mishandling the token could enable unauthorized API calls against a merchant account if the local store or logs are exposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly tells users to copy and save an access token but does not clearly warn that the token is a sensitive secret equivalent to account/API credentials. Users may paste it into insecure locations, logs, chats, or scripts without proper handling, enabling unauthorized API access across seller operations if the token leaks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in plaintext JSON on the local filesystem and does not set restrictive permissions or use an OS-backed secret store. If the host is shared, compromised, or backed up/synced insecurely, these tokens can be recovered and used to access seller APIs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file download helper sends both an access token and a user-supplied URL to a remote endpoint without any validation or allowlisting of the URL. If the downstream service fetches that URL, this creates an SSRF-style risk and can also cause sensitive authenticated actions to be coupled with attacker-controlled destinations, which is more dangerous in a promotion/e-commerce integration that handles privileged partner tokens.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly allows a LinkFox token to be passed on the command line, which can expose the secret through shell history, process listings, CI logs, and audit tooling. Although this is a local operational-security issue rather than remote code execution, the token appears to authenticate gateway access, so disclosure could let another party use the associated LinkFox account or APIs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the retrieved access token directly to stdout without masking or warning, which can leak credentials into agent outputs, audit logs, shell history, or calling systems. Because access tokens are bearer secrets, anyone who obtains the output may impersonate the store and perform unauthorized Temu operations until the token expires or is revoked.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal