shopify product

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PPSPY Shopify product research integration with expected API-key, network, and paid-credit considerations.

Install only if you trust the PPSPY MCP npm package and are comfortable giving it access to your PPSPY account key. Avoid submitting sensitive proprietary store research unless you are comfortable sending those queries to PPSPY, and monitor credit usage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill clearly requires a third-party API key and sends user-provided product/store search data to PPSPY, but it does not disclose that these queries will be transmitted to an external service. This is a real privacy/transparency issue, though the transmitted data appears aligned with the skill’s stated purpose and there is no evidence of hidden exfiltration beyond normal service usage.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal