Shopify Helper

Security checks across malware telemetry and agentic risk

Overview

This skill mostly provides Shopify guidance, but it also includes a separate generic local logging script that stores command inputs without clear disclosure.

Review before installing. The Shopify guidance script itself is low-risk, but avoid entering shop secrets, customer data, API tokens, or sensitive operational notes into the generic shopify-helper commands unless you are comfortable with them being retained locally and know how to delete the stored files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The _log function persistently records command arguments to a history file under the user's data directory without notice or consent. If users pass secrets, tokens, customer data, store details, or other sensitive inputs as arguments, those values will be retained on disk and may later be exposed to other local users, backups, or support tooling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The add command writes arbitrary user-supplied content to a persistent file while presenting the tool as a Shopify helper without clearly disclosing that local data retention occurs. In this skill context, users may reasonably enter product notes, API-related data, store metadata, or customer-adjacent content, creating privacy and data-handling risk if the file is later read, exported, synced, or inspected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal