ClawHub

Temu Tax EU

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive Temu credentials and includes broader Temu API proxy and token-storage abilities than its EU tax description clearly scopes.

Install only if you are comfortable giving this skill access to Temu and LinkFox credentials and using it through LinkFox's gateway. Prefer a dedicated EU tax token if available, avoid storing tokens locally unless necessary, do not paste real tokens into shared prompts or logs, and review the generic proxy/file-download scripts before allowing agents to call them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (30)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file explicitly states that for the tax skill, APIs default to `site=eu` and `tokenPurpose=product-inventory`, which is inconsistent with the later guidance that EU/Global order-style workflows use `order-shipping` and with the skill’s tax-specific context. In a tax/invoice skill, wrong token guidance can cause users to authorize the wrong app or over-broader permissions, leading to failed calls, accidental use of excessive privileges, or exposure of sensitive tax/invoice operations under an inappropriate token.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The site mapping table incorrectly labels `us` as Europe while also defining `eu` as Europe, creating ambiguous routing guidance for API calls. In a skill handling tax, invoices, and region-specific compliance data, this can misroute requests to the wrong gateway or cause users to fetch or submit sensitive documents under the wrong regional context.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The documentation is internally inconsistent: it states the skill handles gateway authentication fields, but the example still instructs callers to provide accessToken and tokenPurpose. In an agent/tooling context, this can cause users or downstream agents to pass sensitive credentials directly into prompts, logs, or untrusted execution paths, increasing the chance of token disclosure and misuse.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document states this endpoint is for tax-related Galerie signatures, yet it defaults the gateway credential scope to `product-inventory`. Using a broader or mismatched token purpose can cause callers to request and use the wrong privilege domain, enabling cross-domain authorization confusion and potentially granting inventory-scoped access for tax workflows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The request example operationalizes the mismatch by instructing users to send `tokenPurpose: "product-inventory"` to a tax endpoint. In an agent skill, examples are often copied directly into production use, so this can normalize privilege misuse and lead to unauthorized access attempts or accidental acceptance of improperly scoped tokens if backend checks are weak.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The runnable script example repeats the inventory token purpose for a tax API, increasing the chance that users or automation will execute the call with the wrong credential scope. Because this skill handles tax and invoice workflows, scope confusion is more dangerous than in a generic API context: it can expose sensitive financial documents or create a pathway for cross-function access if permissions are not tightly segmented.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation states a default tokenPurpose of "product-inventory" for a tax invoice download API, which suggests a scope/permission mismatch between the business function and the credential purpose. This can encourage use of broader or incorrect tokens across domains, weakening least-privilege controls and potentially enabling unauthorized access to tax invoice data if the gateway accepts that scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation for a tax-report download endpoint explicitly defaults authentication to `tokenPurpose=product-inventory`, which is an unrelated scope for financial/tax operations. This can encourage scope confusion or privilege misuse, potentially allowing a broader or incorrect token class to access sensitive EU tax report workflows and weakening authorization boundaries.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file describes tax handling but repeatedly instructs users to supply a product-inventory token purpose, reinforcing an authorization mismatch in security-sensitive documentation. In a skill handling VAT and invoice/report operations, this increases the risk that operators and downstream tooling will use the wrong credential class to retrieve regulated financial data.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document sets a default tokenPurpose of "product-inventory" for a tax invoice upload API, which is an authorization-scope mismatch. In systems where token purpose influences permissions or routing, this can cause overbroad token reuse, confused-deputy behavior, or accidental access under the wrong business context for sensitive tax and invoice operations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The authorization-flow document materially exceeds the skill's declared EU tax-only scope by describing broader Temu site and managementType combinations, including CN/partner/global and non-tax product, inventory, order, and shipping usage. In a credential-handling workflow, this scope expansion can mislead users into supplying tokens with broader privileges than necessary, increasing the chance of over-privileged access and misuse outside the intended skill boundary.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module materially broadens the skill from EU Tax APIs to general Temu token-acquisition guidance for multiple shop types and business functions. In this skill context, that overbroad credential guidance can cause users to obtain highly privileged access tokens unrelated to tax workflows, increasing the chance of misuse, over-collection of privileges, and cross-scope access beyond the manifest's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code explicitly provides authorization instructions for product-inventory and order-shipping use cases, which are unrelated to an EU Tax skill. That mismatch encourages users to grant unnecessary permissions and handle tokens that may authorize broader operational APIs, violating least privilege and making credential abuse more damaging if those tokens are later stored or exposed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script retrieves a sensitive access token from local storage and emits the raw credential in JSON to stdout. In agent, automation, or logging environments, stdout is often captured by logs, tool traces, transcripts, or downstream components, which can leak reusable credentials and enable unauthorized API access.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This script stores a Temu access token locally for later reuse, but the skill manifest describes a narrowly scoped EU tax integration. A generic token-persistence helper broadens the skill from tax API access into credential management, creating capability drift and increasing the chance that tokens for unrelated scopes, regions, or workflows are retained and later misused.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code accepts arbitrary store identifiers, site, management type, token purpose, labels, and a raw access token, then saves them through a generic token store. In a skill advertised for EU tax APIs, this creates an unjustified credential storage primitive that could be repurposed to warehouse reusable tokens for other business functions, expanding the blast radius if the local store is accessed or abused.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is a generic signed-file download helper and is not constrained to the EU tax-specific API scope described in the skill metadata. That mismatch can let the skill be used to access or proxy broader Temu signed resources than intended, increasing the chance of unauthorized data access or policy bypass if a caller supplies arbitrary signed URLs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Although the skill is declared for Temu Europe tax operations, the request builder accepts any site value permitted by validate_site rather than enforcing EU-only operation. This enables cross-region use under a narrower-looking skill, which can expose non-EU resources, defeat least-privilege expectations, and make authorization review misleading.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script implements a generic Temu proxy that forwards arbitrary API `type` values with caller-supplied parameters and tokens, which materially exceeds the manifest's stated EU Tax-only purpose. That mismatch can let users invoke unrelated Temu APIs through this skill, weakening least-privilege boundaries and enabling unauthorized access to broader platform capabilities if valid credentials are available.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring and usage example advertise a generic Temu proxy and even demonstrate CN goods-category API usage, directly contradicting the declared EU Tax scope. This is dangerous because documentation often drives agent/tool selection and operator behavior; misleading examples can normalize out-of-scope invocation and hide that the implementation is broader than intended.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document recommends storing Temu access tokens on disk in a predictable local path, but does not clearly warn that these are sensitive bearer credentials or describe the security risks of local persistence. If the host is multi-user, compromised, backed up insecurely, or the file permissions are weak, an attacker could steal the token and access invoice, tax, and merchant data through the proxy workflow.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The example shows an accessToken placeholder in request JSON and CLI usage without any warning that it is sensitive. Even though the token value is not real, this normalizes passing secrets inline on the command line or in markdown examples, which commonly leads to exposure via shell history, process listings, screenshots, or logs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation describes an API that returns invoice details, order identifiers, transaction references, pricing, VAT, shipping, and related financial metadata, but it provides no warning that these fields are sensitive and should be handled as confidential data. In a skill that helps an agent invoke the API, this omission increases the likelihood of over-collection, unnecessary display, logging, or unsafe downstream sharing of tax and invoice data.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation shows use of an access token and a response containing a downloadable `fileUrl` for merchant tax reports, but it omits handling guidance for sensitive financial data. Without warnings about secure storage, restricted sharing, redaction, and expiration of report URLs, users may inadvertently expose VAT or merchant tax information through logs, chat transcripts, or insecure downloads.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This documentation describes uploading invoices tied to order identifiers and externally hosted file URLs without any security guidance on sensitive financial data handling, URL validation, or trusted file sources. In practice, this omission increases the chance of SSRF-style fetches, malicious file submission, leakage of invoice data, and insecure handling of personal or financial records by downstream users and implementers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal