fecify-site-manager-v1

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine Fecify site-management skill, but it needs Review because it stores powerful site tokens on disk and exposes broad authenticated API calls that can change store data.

Install only if you trust the publisher and are comfortable giving the skill a Fecify API token that can read and change store data. Use HTTPS-only site URLs, prefer scoped or revocable tokens, avoid shared machines, review temp/failed import files for sensitive data, and require explicit confirmation before create, update, delete, or bulk import operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill claims to manage Fecify sites, but it exposes a generic API proxy capable of arbitrary method/path calls and additional plugin/init queries not clearly disclosed in the description. This mismatch can mislead users and reviewers about the breadth of authority, increasing the chance of unintended destructive actions or abuse with stored site tokens.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This script exposes a generic proxy that can invoke arbitrary API paths with multiple HTTP methods, which exceeds the stated business scope of managing products, orders, and CSV import. In an agent skill context, this broad primitive can be repurposed to reach sensitive or undocumented endpoints, bypass intended guardrails, and perform destructive or privacy-impacting actions using the bound site token.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to provide a site URL and AccessToken in arbitrary format and states that configuration is persistently stored, but it gives no warning about credential sensitivity, storage handling, masking, or rotation. This creates a real risk of secret exposure, overcollection, and long-lived compromise if logs or persisted data are accessed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The architecture explicitly documents persistent storage of `{ url, token }` in `sessions/<domain>/config.json`, which means API credentials are kept on disk across restarts. In a multi-session site-management skill, this increases exposure to credential theft through local file disclosure, backup leakage, improper permissions, or accidental commit/logging, especially because the documentation provides no mention of encryption, file permission hardening, or secret-handling safeguards.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly states that failed imports are archived locally with full API request bodies, raw API responses, and possibly error stacks, but it does not warn that these artifacts can contain sensitive product data, tokens, internal paths, or backend error details. In an agent or shared-host environment, this creates a real confidentiality risk because local temp files may be retained, backed up, or accessed by other users/processes.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This document describes a state-changing product-creation endpoint that persists new product records, but it does not prominently warn operators that invoking it will modify production business data. In an agent skill context, missing mutation warnings increases the chance of accidental inventory/catalog changes through automation, especially because the example shows a fully populated create request that can be copied directly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document explicitly instructs users to fetch the full product, modify fields, and then submit complete `images`/`variants`/`options` arrays, including removing unwanted entries. In a site-management skill with persistent bindings and live product operations, this creates a real risk of unintended destructive updates or data loss if a user or agent omits sub-entities, and the docs do not prominently warn that omitted items may be deleted or overwritten.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script sends the sensitive `skill-access-token` using either HTTPS or plain HTTP based solely on the user-supplied URL. If a non-HTTPS URL is provided, the token is transmitted in cleartext and can be intercepted or modified by anyone on the network path, enabling unauthorized access to the bound Fecify site. In this skill, the token is a persistent site-management credential, which makes insecure transport especially dangerous.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code persists API tokens in plaintext on disk under a shared data directory, increasing the blast radius if the host, filesystem, backups, or logs are accessed by another local user, process, or support workflow. In a site-management skill, these tokens likely grant direct control over stores, so compromise could expose orders/products or enable destructive administrative actions.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The file implements arbitrary outbound API calls through a reusable proxy without any visible restriction or clear user-facing disclosure of what data may be transmitted to the remote site. In a persistent multi-site manager bound to URL and API token, this increases the chance that agent-controlled inputs can send unintended data or trigger remote actions beyond what the user expects.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: node scripts/csv-import/detect-shopify-csv.js <CSV文件> # Step 2 — 执行（根据用户选择组装参数） node scripts/csv-import/import-shopify-csv.js <CSV> [--max=N] [--skip=N] [--dry-run] [--use-network-images] [--gen-tags=none|auto|force] [--tag-count=N] [--img-concurrency=N] [--img-retries=N] [--import-concurrency=N] [--skip-validation] ```
Confidence: 97% confidence
Finding: --skip-validation

Unsafe Defaults

Medium

Category: Tool Misuse
Content: node scripts/csv-import/detect-shopify-csv.js <CSV文件> # Step 2 — 执行（根据用户选择组装参数） node scripts/csv-import/import-shopify-csv.js <CSV> [--max=N] [--skip=N] [--dry-run] [--use-network-images] [--gen-tags=none|auto|force] [--tag-count=N] [--img-concurrency=N] [--img-retries=N] [--import-concurrency=N] [--skip-validation] ```
Confidence: 78% confidence
Finding: skip-validation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal