Shopify Store Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Shopify integration that uses ClawLink OAuth to manage store data, with high-impact actions gated by user confirmation.

Install only if you trust ClawLink to hold and proxy your Shopify OAuth connection. Review Shopify permissions during OAuth, expect the gateway restart to interrupt the current chat, and confirm write actions carefully because the skill can change products, inventory, orders, refunds, billing, and customer data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill instructs the user to run `openclaw gateway restart` during setup, but does not clearly warn that this will interrupt the current session and require starting a fresh chat. While not a code-execution or data-exfiltration issue, it can disrupt ongoing work and create confusing state during installation. In this context the risk is somewhat reduced because the skill later tells the user to start a new chat, but the interruption warning should appear before the restart command, not after.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal