Back to skill

Security audit

Openclaw Shopify Manager

Security checks across malware telemetry and agentic risk

Overview

This Shopify skill mostly does what it says, but it asks for more Shopify access than its documented features need and relies on user/agent discipline for store-changing actions.

Review before installing. Remove read_orders unless you truly need order access, start in read-only mode for verification, require explicit approval for any product or content changes, keep the runtime .env outside repositories, restrict its permissions, and enable Tailscale/systemd exposure only when you understand the host impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill directs the agent to run multiple local shell scripts and a host installer, but the skill manifest does not declare corresponding shell permissions. This creates a permission/transparency gap: an agent or user may invoke system-level actions such as setup, service installation, Docker/systemd changes, and local secret handling without an explicit permission declaration or clear security boundary.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example configuration requests the `read_orders` OAuth scope even though the described skill functionality focuses on Shopify setup, store information, and product/content operations. Requesting broader access than necessary violates least-privilege and can lead operators to grant unnecessary access to customer order data, increasing privacy and compliance exposure if the connector or its environment is later compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OAuth access token is persisted in a local `.env` file during `exchangeCode()` without setting restrictive file permissions or presenting any explicit warning at the point of storage. In this skill’s context, the connector is specifically designed to manage Shopify credentials locally, so the behavior is expected, but it still creates a real secret-exposure risk if the runtime directory is shared, backed up, committed to source control, or readable by other local users/processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup-runtime.mjs:150

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/shopify-connector.mjs:28

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/setup-runtime.mjs:291

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/shopify-connector.mjs:108

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/shopify-connector.mjs:377