Ecwid Ecommerce

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Ecwid API skill with expected store-token access; the main caution is that order, customer, and cart queries can expose personal customer data.

Install only if you want an agent to access your Ecwid store. Use a read-only token with the smallest required scopes when possible, avoid full admin tokens unless you intentionally need write operations, use responseFields to limit returned data, and redact customer emails, phone numbers, addresses, billing/shipping details, tracking numbers, and private admin notes before sharing outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents endpoints for retrieving customer, order, and abandoned cart data, including emails, addresses, phone numbers, billing/shipping details, tracking numbers, and private admin notes, but it does not include a user-facing privacy warning or guidance to minimize collection/display of personal data. In an agent setting, this increases the risk that an assistant will retrieve or expose sensitive customer information without informed user confirmation or data-minimization safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal