ClawHub

Temu Returns Refunds US

Security checks across malware telemetry and agentic risk

Overview

This Temu returns skill may be legitimate, but it needs review because it stores sensitive tokens locally and includes broader Temu proxy/download tools than the advertised US returns scope.

Install only if you trust LinkFox with Temu seller access tokens and returns/order data. Prefer passing short-lived tokens from a secure secret manager instead of saving them with this skill, avoid printing tokens in logs or chat transcripts, and restrict use to the documented US returns/refunds scripts rather than the generic proxy/download helpers unless you intentionally need that broader access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises network access, environment-variable use, and local file-writing behavior but does not declare permissions or clearly bound those capabilities. In practice this can mislead operators and downstream policy engines about what the skill can do, especially because it handles API keys and Temu access tokens and includes scripts that save tokens locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a narrow US returns/refunds skill, but the file exposes broader capabilities including generic proxying, token management, signed file download, and references to multi-site and multi-purpose token usage. That mismatch weakens least-privilege expectations and can let a user or calling agent invoke actions far outside the apparent aftersales scope, including arbitrary API forwarding with sensitive credentials.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script enumerates locally stored Temu access tokens and supports disabling masking via user input, which can directly expose usable credentials to anyone with local/script access. That capability is not necessary for a returns/refunds integration and increases the risk of credential leakage through terminal output, logs, screenshots, shell history, or misuse by operators and other tooling.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script persists a reusable access token to a local store, which creates credential-at-rest risk without any visible controls in this file such as encryption, expiration enforcement, access restrictions, or minimization. In a skill whose stated purpose is returns/refunds operations, keeping reusable partner tokens locally broadens the blast radius if the host, filesystem, logs, backups, or neighboring tooling are compromised.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script adds a generic Temu signed-file download capability to a skill whose declared scope is limited to US returns and refunds workflows. Scope mismatch is a real security concern because it can let users retrieve arbitrary signed resources unrelated to aftersales operations, expanding the skill's effective privileges beyond what operators and users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code accepts a caller-supplied URL and forwards it to the backend file download API with no visible restriction tying it to a particular return or refund record. If the backend honors any valid signed URL, an attacker or overprivileged user could use this skill to fetch arbitrary signed Temu resources, potentially exposing sensitive documents or data outside the intended business workflow.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script is implemented as a generic Temu API proxy even though the skill is advertised as a narrow US returns/refunds integration. That mismatch materially expands the reachable API surface, enabling callers to invoke unrelated Temu operations through this skill and bypass user or platform expectations about scope and least privilege.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code accepts a caller-supplied site value via validate_site() rather than hard-binding the skill to the US marketplace described in the manifest. This allows use against non-US regions, broadening data access and operational reach beyond the advertised trust boundary.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger terms are broad and mixed-language, including generic words like return, refund, and aftersales references, which raises the chance of accidental invocation in unrelated contexts. Unintended triggering is more dangerous here because the skill can handle tokens and perform networked partner API actions affecting real order aftersales workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to provide LinkFox and Temu credentials and describes forwarding them to external gateway endpoints, but it does not prominently warn that secrets and potentially order/aftersales data will be transmitted off-platform. This creates a real risk of inadvertent credential disclosure or unsafe handling of sensitive business data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to persist long-lived Temu access tokens locally in a predictable file path and reuse them for API calls, but it does not warn about securing that file with restrictive permissions, encryption, or secret-management controls. If the workstation, home directory, backups, logs, or shared environment are exposed, an attacker could recover the token and perform unauthorized returns/refunds or query aftersales data through the linked APIs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to copy an access token from the Temu seller backend and notes it may be written to a local store, but it provides no guidance on secure handling, storage protections, rotation, or minimization. Access tokens are sensitive credentials; normalizing manual copying and local persistence without warnings increases the chance of token leakage through shell history, logs, screenshots, insecure files, or accidental sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists Temu access tokens in plaintext JSON on local disk without setting restrictive file permissions, encryption, or any safeguard around secret storage. If the host is multi-user, backed up, synced, or otherwise inspected by other software, these tokens can be recovered and used to access Temu partner APIs for returns/refunds operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script validates a LinkFox token by sending a probe request to a remote gateway using caller-supplied authentication material, but it provides no explicit user-facing disclosure that the token will be transmitted off-host. Even though this appears to be the intended functionality of a token-check helper, silent transmission of secrets to an external service increases credential-handling risk and can surprise users who expect only local validation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints the retrieved access token in plaintext JSON to standard output, which can leak credentials into logs, terminal history, calling-process captures, or chat/tool transcripts. In an agent skill context, this is especially dangerous because secrets may be exposed to users or downstream systems not intended to receive raw authentication material.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The usage example explicitly instructs operators to paste an access token on the command line, and command-line arguments are commonly exposed through shell history, process listings, audit trails, and support logs. The absence of any warning or safer input mechanism increases the chance of accidental credential disclosure during normal use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal