Shopify Auto Invoicing & Inventory

Security checks across malware telemetry and agentic risk

Overview

This skill appears to locally prepare Shopify invoice, inventory, and monthly report files, with expected handling of customer order data and no evidence of hidden network access or account changes.

Use this only with Shopify data you are authorized to process. Choose output paths carefully because CSV files can be created or overwritten, and protect generated invoice and report files because they may include customer personal, billing, and tax information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill handles customer billing names, addresses, email addresses, tax identifiers, and order data, but it does not include explicit privacy, retention, minimization, or safe-sharing guidance. In a back-office workflow, that omission can lead users or downstream agents to over-collect, unnecessarily retain, or export sensitive customer data into invoices and reports without adequate safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal