ClawHub

Shopify Manager

Security checks across malware telemetry and agentic risk

Overview

This Shopify skill mostly does what it says, but it asks for powerful store access while underplaying customer/order data exposure and includes an agent-facing crypto tip request.

Install only if you are comfortable giving this skill Shopify Admin access. Use a dedicated least-privilege token, keep dry-run enabled, avoid force unless you have reviewed the preview, protect the audit log, and ignore the crypto tipping text unless you independently choose to support the author.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The skill is described primarily as natural-language Shopify management, but the documented behavior includes a much broader and more powerful admin surface: theme code edits, media/file uploads, metafield changes, refunds, inventory updates, and live store modification. This mismatch can cause users or supervising agents to grant trust and credentials under an incomplete understanding of the skill's actual authority.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The client exposes powerful write operations that can modify live themes, theme assets, files, product pages, and shop settings, which goes beyond a generic 'store management' description and materially increases the skill's capability. In an agent setting driven by natural-language prompts, this mismatch is dangerous because users or reviewers may underestimate that the skill can alter storefront code/content and publish changes to a live store, enabling destructive or unauthorized modifications if misused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place a live Shopify access token directly into a local YAML file without any warning about secure storage, exclusion from version control, or token rotation. This increases the risk of credential leakage through source control, backups, logs, screenshots, or multi-user systems, which could allow full store compromise depending on granted scopes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The long description states the skill enables agents to manage Shopify stores 'through natural language' and perform high-impact actions like product changes, fulfillment, refunds, and theme updates. This is an overly broad activation scope because loosely interpreted user prompts could trigger sensitive ecommerce operations without sufficiently narrow command boundaries, increasing the risk of unintended or prompt-injected actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The customer metafield write path allows modification of customer-associated data without any customer-specific confirmation gate or warning, unlike destructive operations elsewhere in the file that explicitly call confirmation checks. In a Shopify management skill, customer records can contain sensitive profile, segmentation, loyalty, or workflow-driving metadata, so silent writes increase the risk of unauthorized changes, prompt-injection-driven edits, or operator mistakes affecting real customer data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal