ClawHub

Shopify

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Shopify integration, but it deserves review because it can change or delete live store data without explicit confirmation guidance.

Install only if you are comfortable connecting the intended Shopify store through Membrane. Use a least-privileged Shopify account where possible, review the scopes during connection, and require an explicit confirmation before creating orders, editing customers or products, deleting products, or changing inventory. Consider pinning or verifying the Membrane CLI package before installing it globally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill description is broad enough to match many generic Shopify-related requests, which increases the chance the agent invokes this skill in situations where narrower, safer handling would be more appropriate. In a commerce context, over-invocation matters because the skill exposes both read and write capabilities against live store data, so ambiguous routing can lead to unintended operational actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises destructive capabilities such as create, update, delete, and inventory adjustment without any warning, approval gate, or confirmation guidance. In a Shopify environment, accidental execution of these actions can directly alter products, orders, customers, or stock levels, causing business disruption and data integrity issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal