ClawHub

Shopify Theme Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Shopify theme helper, but it includes guidance that can expose a write-capable Shopify token and can affect a live storefront.

Install only if you need Shopify theme development and deployment help. Before using deployment steps, replace token-printing checks with a redacted existence check, verify the target store and theme ID, test on a development theme first, and require explicit approval before push, publish, or analytics changes go live.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents `shopify theme publish --theme <THEME_ID>` as a normal workflow step for promoting a theme live, but it does not pair that action with the same level of explicit warning and confirmation language used earlier for pushing to a live theme. In an agent skill that may be followed operationally, this can normalize a production-impacting command and increase the chance of accidental publication of unreviewed or unsafe changes to a live storefront.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document recommends using Google Analytics and other third-party Real User Monitoring tools but does not mention consent, privacy disclosures, data minimization, or regional compliance requirements. In a Shopify theme skill, this can lead agents to implement tracking in a way that collects user data without proper notice or lawful basis, creating privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal