Back to skill

Security audit

Shopify Product Serp Optimizer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Shopify SEO skill, but it asks for broad store write/setup authority and includes non-interactive setup steps that users should review carefully.

Install only if you are comfortable granting Shopify product/file write permissions and storing store credentials in a local env file. Prefer Path C for read-only audits, review any generated update bundle before --execute, and confirm Shopify app scopes before authorizing or deploying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The reference materially expands the skill from five-product SERP optimization into general public storefront extraction, HTML scraping, and alternate access paths when API permissions are absent. That scope creep increases data collection capability and creates a pathway for broader reconnaissance or unauthorized enumeration than the skill description suggests, even if the data is publicly exposed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
These sections explicitly document pagination over /products.json and traversal of collections, enabling full-store crawling unrelated to the stated use case of optimizing five product pages. In context, this makes the skill more dangerous because it operationalizes bulk extraction and profiling of an entire storefront, which could be misused for competitive intelligence, mass data harvesting, or exceeding the user's intended authorization boundary.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference materially broadens the skill beyond product SERP optimization into metafield auditing, image alt optimization, blog/article ideation, and community/distribution guidance. That scope expansion increases the chance the agent will perform actions or generate recommendations outside the user’s expected consent boundary, including changes and research workflows not clearly disclosed by the manifest.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented fallback permits public storefront scraping and live Google/Amazon evidence collection even when Shopify access is unavailable, but this behavior is not clearly disclosed in the manifest. Hidden data-source expansion is dangerous because it can cause the agent to access third-party sites and collect/store external content unexpectedly, exceeding user expectations and potentially violating network, privacy, or compliance boundaries.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Requiring live Amazon user-intent evidence introduces an unnecessary third-party dependency for a Shopify SERP optimization skill and expands collection to external commercial content. This broadens the skill’s operational surface and may lead to undisclosed external access, terms-of-service friction, or contamination of recommendations with competitor marketplace data the user did not expect to be used.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The methodology extends into off-page distribution, outreach, and community-posting guidance for Reddit, bloggers, and Facebook groups despite the skill being framed as product-page SERP optimization. This is dangerous because it encourages the agent to influence external platforms and generate quasi-link-building or promotional tactics outside the declared scope, increasing misuse and user-surprise risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reporting layer goes beyond a narrow SERP product-snippet optimizer and includes broad marketing/reporting constructs such as blog mapping, community promotion, and enhanced content strategy sections. In an agent skill, this scope expansion is dangerous because it can cause the tool to generate or justify actions outside the user-approved capability boundary, increasing the chance of unintended business-impacting outputs and unsafe downstream writes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly renders community-promotion and blog-ideation content, which is unrelated to safe product SERP snippet optimization. This creates a capability mismatch where an ostensibly narrow SEO tool can influence off-platform promotion strategy, making it easier for an agent to overstep user expectations and produce unreviewed marketing guidance.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The apply path can write metafields and file alt text in addition to product SEO/content fields, but those write capabilities are not clearly aligned with the stated purpose of a SERP metadata optimizer. Undisclosed write surface increases risk because users or higher-level agents may authorize this skill expecting limited metadata edits while it can modify additional store data structures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly directs the agent to create or modify local files such as `skill-hub.env` and `.gitignore`, and to run setup/CLI actions 'silently' with limited user notification. In an agent context, silent file modification and command execution reduce user visibility and consent, which can lead to unintended environment changes, persistence of configuration, or execution of sensitive actions without adequate review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When invoked with --execute, the apply command performs real product, file, and metafield mutations after only local JSON validation, without a strong execution-time warning, interactive confirmation, or mandatory dry-run acknowledgement. In an agent context, that makes accidental or overly broad writes more likely, especially if another component supplies the plan automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.