Back to skill

Security audit

Order & Returns Manager

Security checks across malware telemetry and agentic risk

Overview

This looks like a real commerce-management skill, but it asks for powerful store credentials through chat and can change live orders, refunds, inventory, and customer messages.

Install only after deciding you trust the publisher and the chat environment with live store access. Use dedicated least-privilege API keys, restrict who can invoke the bot, keep refund and mutation confirmations enabled, avoid pasting production secrets into ordinary chat where possible, and plan credential rotation/deletion before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to paste live Shopify access tokens into a bot conversation, which creates a direct secret-handling risk. If bot messages are logged, retained, exposed to other tools, or accessible to operators, the token could be used to read and modify orders, fulfillments, draft orders, and inventory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup requests broad write-capable Shopify scopes such as write_orders, write_fulfillments, write_inventory, and write_draft_orders, enabling the skill to make consequential store changes. In context, the same document also promotes automated order, refund, and restock actions, increasing the risk of accidental misuse or abuse if the bot or its credentials are compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples include realistic-looking customer personal data, including full name, email address, phone number, and postal address, without any indication that these are synthetic or redacted. In training or production-adjacent artifacts, this can normalize unnecessary exposure of PII and risks accidental reuse, disclosure, or inclusion of real customer data in prompts and logs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to provide a raw Shopify access token directly in chat (`token: shpat_xxx`) without any warning about secure credential handling, secret storage, or limiting exposure in messaging platforms. In a skill designed for WhatsApp or Telegram workflows, this is especially risky because chat logs, screenshots, integrations, or compromised bot sessions could expose long-lived store credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automatic refunds, restocking, customer notifications, and cancellations as routine chat-triggered actions without clearly warning that they mutate live commerce data and may be difficult or impossible to undo. In an agent skill that operates from a single message, this increases the chance of accidental destructive actions, operator misunderstanding, or abuse through unauthorized access to the chat interface.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions tell users to send a live Shopify token directly in plain-language chat, which is an unsafe channel for highly sensitive credentials. Because the token grants operational access to store data and write actions, exposure through conversation history, telemetry, support review, or prompt leakage could lead to unauthorized store changes and data access.

Ssd 3

High
Confidence
99% confidence
Finding
The WooCommerce setup similarly requests a consumer key and consumer secret through the bot conversation, exposing long-lived API credentials in an insecure medium. With Read/Write permissions, compromise of these secrets could allow unauthorized order or store operations and access to customer-related commerce data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.