Temu Returns Refunds EU

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about using LinkFox and Temu tokens, but it exposes broad Temu API and file-download capabilities and stores sensitive tokens in a weak local format.

Install only if you trust LinkFox with Temu seller tokens and aftersales/order data. Prefer using scoped tokens, avoid pasting production tokens into chat or command history, do not use the generic proxy for unrelated Temu APIs, and treat the local token store as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This skill is scoped and described as handling Temu EU returns/refunds workflows, but the file exposes a generic signed file download capability via /temu/fileDownload. That creates a scope mismatch that can enable retrieval of arbitrary signed resources unrelated to returns/refunds, increasing data exposure risk and expanding the skill's effective privileges beyond what users and reviewers would expect.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This script implements a generic Temu proxy that accepts an arbitrary API `type` and forwards caller-supplied `params`, rather than constraining operations to EU returns/refunds endpoints described by the skill manifest. In an agent setting, this creates a scope-break capability: users or prompts that merely trigger the returns/refunds skill could invoke unrelated Temu APIs with the provided access token, enabling unauthorized actions or data access beyond the declared permission boundary.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module documentation explicitly presents the tool as a general Temu API proxy, which conflicts with the skill's declared purpose of handling only EU returns/refunds workflows. This mismatch is dangerous because it signals and normalizes broader functionality than users, reviewers, or policy controls would expect, increasing the likelihood of misuse and hiding the true attack surface.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger description includes broad multilingual keywords such as 'return', 'refund', 'aftersales return', and related order-service phrases without clear boundaries or disambiguation. This can cause the skill to activate in unintended conversations and then prompt for or process sensitive order, refund, or token data through its gateway flows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill clearly states that authentication material and business requests are sent to an external LinkFox gateway, including Authorization/Token headers and Temu accessToken or storeKey, but it does not provide a prominent user-facing risk notice or consent step. Because this skill operates on returns/refunds workflows, the transmitted data may include account credentials, order identifiers, after-sales records, and downloadable signed files, making undisclosed third-party forwarding materially risky.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to pass sensitive credentials such as `LINKFOXAGENT_API_KEY`, `accessToken`, `storeKey`, and duplicate auth headers through a third-party gateway, but it does not warn about secure handling, storage, logging, or transmission risks. In an agent skill context, this is dangerous because users or downstream tooling may paste live tokens into commands or request bodies that can be logged, persisted, or exposed to intermediaries.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document instructs users to copy a Temu access token from the seller backend and optionally save it to a local store, but it provides no guidance on treating the token as a secret, limiting retention, encrypting storage, or avoiding leakage through logs and screenshots. In the context of an authorization flow for commerce APIs, this omission can lead to credential exposure and unauthorized access to returns, refunds, or order-management functions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code persists Temu access tokens in plaintext JSON on local disk without setting restrictive file permissions or warning users that long-lived credentials are being stored. If the host is multi-user, backed up, synced, or otherwise accessible to other local processes, the tokens can be recovered and used to access partner APIs and potentially perform return/refund operations.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script prints the retrieved access token directly to stdout in JSON, which can expose sensitive credentials to logs, calling agents, shell history, pipeline outputs, or other downstream tooling. In an agent/integration context, this is especially risky because secrets may be captured automatically and then reused to access Temu APIs beyond the immediate task.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script accepts a sensitive access token directly on the command line, which can expose the secret through shell history, process listings, audit logs, and crash reporting on shared or monitored systems. Because the tool then persists the token for later reuse, accidental disclosure can enable unauthorized API access beyond the immediate session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal