Back to skill

Security audit

Shopify Markets Localization Auditor

Security checks across malware telemetry and agentic risk

Overview

This Shopify auditor largely matches its stated purpose, but it asks for broad write-capable Shopify credentials and stores them locally, including one write scope not needed for its documented fixes.

Install only if you are comfortable granting this skill Shopify Admin API access. Prefer a dedicated custom app, remove write_translations unless you have a separate need for it, use the narrowest read/write scopes possible, keep skill-hub.env out of source control with restrictive permissions, and run apply --execute only after reviewing the generated fix plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is described as an auditor, but the onboarding guide requests write-capable scopes such as write_locales, write_markets, and write_translations and references approval-based auth flows. This exceeds strict read-only audit needs and increases the blast radius if the skill, its scripts, or the environment are misused, allowing unauthorized configuration changes to international settings.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Requesting translation and market write permissions is not clearly justified by the stated purpose of reviewing localization readiness and SEO basics. Overbroad privileges create unnecessary risk because any compromise or logic error could alter storefront languages, translations, or market configuration rather than merely inspect them.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented primarily as an auditor/reporting tool, but it also contains an `apply --execute` path that performs live Shopify mutations such as enabling locales, publishing locales, and changing market currency settings. Even though execution requires an explicit flag, this expands the tool from read-only analysis into state-changing administration and can surprise users or automation that granted trust based on the audit-oriented description.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs creation of a credential-bearing skill-hub.env file but provides no safeguards around sensitive token handling, file permissions, exclusion from version control, or secure deletion. This raises the likelihood of credential leakage through local exposure, accidental commits, backups, logs, or downstream tooling reading the working directory.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`init-env` writes configuration files in the current working directory and may create or modify `.gitignore` without an explicit user confirmation step or dry-run preview. While not remotely exploitable on its own, this can overwrite expected local project state or silently alter repository configuration, which is risky in an agent/tooling context where commands may be triggered with broad filesystem access.

Credential Access

High
Category
Privilege Escalation
Content
Ask the user to fill only:

- store address
- Admin API access token

Recommended scopes:
Confidence
88% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.