Back to skill

Security audit

Temu全球站-合规

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real Temu compliance integration, but it also exposes broad Temu API proxying and risky local credential/response storage that users should review before installing.

Install only if you trust LinkFox with Temu seller API traffic and need this compliance workflow. Treat Temu access tokens as account credentials, avoid saving them on shared machines, do not print or paste real tokens into logs, and review or restrict the generic proxy scripts before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities to read environment variables, write files in the working directory, and make outbound network requests, but it does not declare permissions. That creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate what the skill can access, while the skill can handle API keys, write response data locally, and contact external services.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The shared helper adds a generic local persistence layer that saves full API responses to disk under a cross-session directory structure, which exceeds the stated role of a compliance API forwarding wrapper. Because compliance responses can contain product qualification data, store identifiers, and other sensitive business information, this creates unnecessary at-rest exposure and a larger attack surface on the host.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code creates a reusable root directory, session folders, and an index file that support cross-session storage and discovery of prior outputs. For a compliance API wrapper, this is not operationally necessary and enables accumulation of sensitive historical data that other local processes or users may enumerate and access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script is a credential retrieval utility that reads a locally stored Temu access token and prints it in full to stdout. In the context of a compliance/API-forwarding skill, exposing bearer tokens is more dangerous because it enables unrelated authenticated API access beyond the stated purpose and can be easily exfiltrated via logs, terminal history, or downstream tooling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code provides a direct credential-extraction path: given store identifiers and context values, it retrieves a stored access token and returns it verbatim. Because this capability is not inherently required for product compliance operations, it widens the attack surface and makes misuse or unauthorized reuse of marketplace credentials straightforward.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script enumerates locally saved Temu access tokens and can optionally print them unmasked via a user-controlled parameter. Access tokens are sensitive secrets, and exposing or facilitating retrieval of them is not necessary for a compliance-focused skill, making credential disclosure and subsequent unauthorized API access a realistic risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script introduces a credential-storage capability that is broader than the declared compliance-only purpose of the skill. In a compliance-focused integration, persisting reusable access tokens locally expands the trust boundary and can enable unintended reuse of privileged credentials by other local processes or later tool invocations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script accepts a raw access token from the user and saves it locally, but the stated skill purpose is compliance API access rather than credential management. That mismatch creates unnecessary secret retention risk: if the local store is accessible, backed up, logged, or reused by adjacent tooling, the token could be exposed and used beyond the user's immediate intent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script accepts an arbitrary API "type" from user input and forwards the full parameter set to a generic Temu Global proxy, which is broader than the skill’s declared compliance-only scope. In a compliance-scoped skill, this creates a scope-bypass/overbroad capability issue: users can potentially invoke unrelated Global APIs through the gateway using the skill’s trust boundary and available token material.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The module docstring explicitly describes a "Temu Global product API generic proxy," which contradicts the skill metadata claiming a compliance-focused integration. This inconsistency is a security concern because it signals the code may have been repurposed or intentionally left broader than advertised, increasing the chance of unauthorized product or non-compliance API access through a misleadingly scoped skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script implements a generic Temu proxy driven by a caller-supplied `type` and arbitrary `params`, while the skill metadata claims a much narrower Global compliance-only capability. That mismatch weakens scope boundaries and can enable invocation of unrelated Temu APIs through this skill, increasing the chance of unauthorized actions or data access if the surrounding platform trusts the manifest-scoped description.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The usage example explicitly shows `site: "cn"`, and the code only calls a generic `validate_site(...)` rather than constraining the site to `global`, despite the skill being described as Global compliance only. This broadens the operational scope beyond what users and orchestrators would expect and may route requests to non-global environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document recommends storing a Temu access token on disk in a predictable local file path and shows commands to persist it, but it does not clearly warn that the token is a sensitive credential or describe required protections such as restrictive file permissions, encryption, or secure secret storage. If the host is shared, compromised, backed up insecurely, or the home directory is exposed, the token could be stolen and used to access Temu business APIs with the seller's privileges.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs users to upload product certification and qualification documents, including file URLs, identifiers, and images, to an external API, but provides no warning about the sensitivity of compliance artifacts or the privacy/security implications of transmitting them through a gateway. In a compliance workflow, these documents can contain regulated business information, traceability data, and potentially personal or confidential material, so omission of handling guidance increases the risk of accidental oversharing or insecure transmission.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly supports uploading base64-encoded compliance files to an external Partner Global API through the LinkFox gateway, but it does not clearly warn users that potentially sensitive compliance documents will be transmitted off-platform. In a compliance context, uploaded files may contain certificates, product records, or regulated documentation, so missing disclosure and handling guidance increases the risk of unintentional sensitive-data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes an operation that edits live product compliance data, including governance attributes, GPSR, and certificates, but does not warn that the action is state-changing or potentially irreversible. In an agent skill context, this increases the risk of accidental unauthorized or unintended modification of merchant compliance records, which can cause listing disruption, regulatory issues, or integrity problems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example shows how to export an API key and pass an access token in a command line invocation without any caution about token secrecy, shell history exposure, or log leakage. In agent and automation environments, such examples normalize insecure credential handling and can lead to compromise of inventory-management capabilities if copied directly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document shows direct use of an access token in a command example for calling an external compliance API, but provides no warning about protecting credentials, avoiding shell history leakage, or the fact that data is transmitted to a third-party service. In an agent skill context, this can normalize unsafe credential handling and increase the chance that operators paste real production tokens into logs, terminals, or shared environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly supports uploading compliance-related images but does not warn about privacy, confidentiality, or data-handling risks. Because images may contain product labels, certificates, personal data, or other sensitive business information, omission of consent/minimization guidance can lead to inadvertent disclosure to the gateway or downstream third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to copy an access token from the seller backend and optionally save it to a local store, but provides no guidance that the token is a sensitive credential or how it must be protected. In an authorization-flow document for a production commerce integration, this omission increases the likelihood of insecure handling, accidental disclosure, token reuse, or compromise of seller account access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly tells users to copy an access token and save it for later API use, but it does not clearly label the token as a secret or warn against exposing it in logs, chats, source control, or shared storage. In a skill whose purpose is to help obtain and persist API credentials, this omission increases the chance of credential mishandling and unauthorized access to Temu partner APIs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The emit_result path writes the complete serialized API response to disk and only prints a save message or summary, with no explicit disclosure or consent mechanism in this code path. This is dangerous because users may believe the skill merely proxies API calls while it actually retains potentially sensitive compliance and token-adjacent data locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists Temu access tokens in plaintext JSON on local disk without setting restrictive file permissions, encryption, or any guardrails around secret handling. In a compliance/integration skill, these tokens likely grant access to merchant data and actions, so compromise of the local filesystem, backups, or shared user account can expose reusable credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Printing the retrieved access token directly to stdout creates an immediate secret exposure risk, especially in agent environments where outputs may be logged, cached, or forwarded. The absence of any warning, masking, or secure handling guidance increases the chance of accidental leakage and subsequent account/API abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script's usage flow instructs the user to paste an access token and then stores it locally without any explicit warning about persistence, storage location, retention, or security properties. This is dangerous because users may assume the token is used ephemerally, while in reality a sensitive credential is being retained and may be recoverable by other users, processes, backups, or logs on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/temu_proxy.py:7