Back to skill

Security audit

Temu类目搜索

Security checks across malware telemetry and agentic risk

Overview

This skill is a Temu category lookup helper that uses a LinkFox API and local result files, with some configuration and documentation caveats users should understand.

Install only if you intend to use LinkFox's Temu category service. Keep the API key in a trusted environment, do not set a custom gateway unless you control it, and expect query results and cache files to be stored locally under linkfox output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The documentation for a category-search skill includes a separate feedback-submission API that is unrelated to the skill’s primary function. In agentic contexts, extra documented endpoints can expand the model’s perceived tool surface and may cause unintended data transmission, including user content being sent to an external service without clear user intent or necessity.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module documentation promises that writing to /tmp is forbidden and that a non-writable current directory should cause an error, but the implementation silently falls back to other locations including the system temporary directory. This mismatch can cause sensitive response data to be written to less trusted storage than users expect, weakening privacy and forensic guarantees.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as searching locally synchronized Temu category data, but instead it sends the query to a remote gateway endpoint. This is a material behavior mismatch that can expose user queries and related metadata off-host without informed consent, making the skill more dangerous because users would reasonably expect offline/local-only processing.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads API credentials and multiple session/application identifiers from environment variables even though the stated purpose is local category lookup. Collecting and transmitting this extra context increases the blast radius of compromise and indicates unnecessary access to sensitive runtime metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is very broad: it activates not only on explicit tool mentions but also whenever a user appears to want category lookup in the local Temu category database. Overly permissive routing can invoke the skill in unintended contexts, causing incorrect tool use, unnecessary data access, or confusing workflow chaining in larger agent systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits SESSION_ID, MODE_ID, and APP_NAME in outbound HTTP headers without clear user-facing disclosure. This can leak operational metadata to the remote service and enables unintended tracking or correlation of user sessions, particularly problematic in a skill presented as local-data search.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.