Openclaw Commerce Shopify

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Shopify management skill, but it can read and change live store data through an API key.

Install only if you trust OpenClaw Commerce with the connected Shopify store. Use a dedicated, revocable, least-privilege API key when possible; test on a non-production store first; review every proposed create, update, delete, email, payment, discount, or bulk action before confirming; and avoid sending or logging unnecessary customer, order, billing, tax, or credential data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is scoped as order and draft-order creation, but it also directs the agent toward higher-impact order-management actions such as recording payments, sending invoices, marking orders paid, reopening orders, and duplicating drafts. This scope expansion increases the chance that a user request or ambiguous prompt will trigger operations with financial, customer-communication, or fraud-workflow consequences that were not clearly intended.

Intent-Code Divergence

Low

Confidence: 96% confidence
Finding: The file's error-handling guidance tells the agent to consult `queries/createProduct.md` when a deletion query fails, even though this skill is for deleting orders and draft orders. That mismatch can cause the agent to use the wrong schema, fields, or examples during recovery, leading to malformed retries, user confusion, or unintended actions in a destructive workflow.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The agent instructions in this collection-query skill incorrectly reference `queries/createProduct.md` and discuss creating products and inventory policy changes, which are unrelated to read-only collection retrieval. This creates scope confusion and can cause an agent to follow the wrong documentation or attempt unintended write-capable operations when handling errors, increasing the chance of actioning user requests against the wrong capability set.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises full read/write access to the Shopify Admin API, including destructive operations over orders, products, customers, catalogs, and discounts, but it does not foreground the operational and privacy risks of using those capabilities against a live store. In the context of an agent skill, insufficient warning and guardrail language increases the chance of accidental destructive actions, exposure of customer data, and unauthorized business-impacting changes if the skill is invoked carelessly or manipulated.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill tells the agent to retry GraphQL operations after errors without requiring idempotency checks, duplicate detection, or verification of partial success. For state-changing actions like discount creation or activation, a retry after a timeout, transport failure, or ambiguous GraphQL error can create duplicate discounts or unintentionally activate promotions multiple times, causing unintended pricing changes and financial loss.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill encourages generating and potentially sending `catalogCreate` mutations but does not require an explicit warning that the action will create persistent data in a live Shopify store. In a commerce-admin context, this can lead to unintended production changes, accidental catalog creation, operational confusion, or merchandising errors if users think they are only previewing or drafting a query.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation guidance is broad enough that an agent may invoke this skill for loosely related collection requests without clear confirmation of user intent or safety boundaries. In a live Shopify admin context, overbroad triggering can cause the agent to generate or execute mutations that modify store data when the user may only be asking exploratory or informational questions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The file presents collection creation and management as routine assistance but does not clearly warn that the generated GraphQL operations can alter live Shopify store data. In an agent setting, this omission increases the risk of unsafe automation because users may not realize that creation, duplication, and product-assignment actions are state-changing and potentially customer-visible.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill enables creation and management of customer records, invitations, activation URLs, payment-method update emails, and address handling involving personal data, but it frames these operations mainly as workflow guidance rather than as privacy- and consent-sensitive actions. In a commerce context, this can lead an agent to generate actions that process PII or trigger outbound emails without adequately surfacing consent, authorization, minimization, or user-impact checks, increasing the risk of privacy violations and unwanted customer communications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The response guidance encourages generating store-mutating GraphQL mutations without prominently warning that these actions can create real orders, decrement inventory, send invoices or receipts, and otherwise affect customers and operations. In an agent setting, missing transactional warnings and confirmation requirements can lead to accidental state changes from misunderstood or underspecified requests.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill activates on broad product-management requests and then guides the agent toward generating write-capable Shopify mutations such as productCreate, productSet, productDuplicate, and bundle operations. In a commerce context, overly broad activation increases the chance of the agent taking or proposing state-changing actions when the user intent is ambiguous, which can lead to unintended modifications to live store data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill provides detailed instructions for creating, duplicating, and managing products but does not prominently warn that these are write operations affecting potentially live Shopify stores. In this context, the lack of explicit destructive-action warnings and confirmation requirements makes accidental business-impacting changes more likely, especially because the guidance emphasizes fulfilling the request and retrying after errors.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This section actively guides retrieval of customer PII such as email, phone, addresses, order history, and spend data, but it does not include clear privacy, authorization, data-minimization, or consent guardrails. In a customer-data skill, that omission is materially risky because it can normalize over-collection or unnecessary disclosure of sensitive customer information, especially when the skill encourages broad searches, exports, and communication-related use cases.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly encourages generation of queries for billing, legal, tax, address, and contact information without any guardrails about sensitivity, least-privilege scopes, or user authorization. In a store-management context, this can normalize retrieval of sensitive business data and increase the chance an agent discloses or fetches information the requesting user should not access.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill activates on very broad language such as requests to 'update collections or manage collection data,' which can match many generic collection-related prompts and cause this skill to take over when a more specific or safer skill should handle the request. In an agentic environment, overly broad routing increases the chance of mis-execution, unintended Shopify mutations, and confusion around user intent, especially because this skill is capable of generating destructive operations like unpublish and reorder actions.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation guidance is broad enough that an agent may generate order-modification mutations from ambiguous user requests without sufficient confirmation of intent or scope. In a commerce context, that can lead to unauthorized or unintended changes to live orders, including edits to items, discounts, addresses, or shipping details, especially if the agent over-assumes what the user meant.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill includes instructions for impactful operations like unpublishing products and changing prices or product data, but it does not consistently require an explicit warning or confirmation before high-impact changes. In a commerce-management context, this increases the chance of accidental business-impacting actions such as hiding products from sales channels, changing customer-visible pricing, or altering catalog state without adequate user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal