Back to skill

Security audit

Shopify Store Translator

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate Shopify translation purpose, but it can make live store and app-permission changes with weak built-in confirmation controls.

Install only if you are comfortable giving this skill Shopify Admin write access. Before running setup or writes, require the agent to show the exact scopes, files, store domain, locale, markets, resource counts, and CSV to be changed, and approve each live Shopify mutation explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase "translate my store / everything" maps directly to a very broad full-store scope, which can cause the agent to fetch and prepare translations for many resource types beyond what a user may have intended. In this skill, that ambiguity is more dangerous because the document explicitly instructs the agent to "know EVERYTHING related" and to include all nested resources, increasing the chance of overbroad access, excessive API actions, or unintended content processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly instructs the agent to perform live Shopify market and locale mutations, including publishing locales and changing market web presence, without requiring a strong confirmation gate, rollback plan, or warning about production impact. In a commerce admin context, these actions can immediately alter storefront visibility, URLs, and customer-facing language behavior, making accidental or overbroad changes plausible.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Mandating a single shared app name for all skills centralizes trust and permissions into one long-lived integration, increasing blast radius if any skill is compromised or over-scoped. In this skill context, the guide also couples that shared app with additive-only scopes, which makes privilege accumulation across unrelated workflows more dangerous over time.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs the agent to create or modify local files such as `skill-hub.env` and `.gitignore` automatically without an explicit user confirmation at the time of change. Silent filesystem modification is risky in an agent setting because it can alter project state, hide sensitive files from version control, and normalize unauthorized local changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Directing `npm install -g @shopify/cli@latest` without a clear user-facing warning authorizes a global system change that affects the host environment beyond the current project. In an agent workflow, unprompted package installation expands attack surface and can break system state or violate change-control expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook performs non-interactive validation, deployment, environment-variable token injection, and remote authorization steps using sensitive credentials without a consolidated warning or approval gate. In this Shopify skill context, those actions can change live app scopes and store access, so the combination of secret handling plus remote state changes materially raises risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document’s agent logic says to enable and publish a target locale automatically when it is missing or unpublished, before the later workflow step that says market configuration should be done with user approval. Publishing a locale changes storefront state and can expose partially configured or low-quality translations to customers without explicit merchant consent, which is a real safety and change-control issue for an agent skill with write scopes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`enable-locale` and `add-locale-to-market` perform immediate live Shopify mutations with no interactive confirmation, dry-run mode, or explicit safety gate in the handler. In an agent or automation context, this increases the risk of unintended production changes from mis-specified inputs or autonomous tool use, especially because these operations affect storefront locale availability and market configuration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `write` command pushes batched `translationsRegister` mutations directly to Shopify based on CSV contents without any built-in confirmation, preview, or integrity check beyond presence of fields. In a skill meant for translation workflows, this is risky because a malformed or malicious CSV can cause immediate bulk content changes in the live store once the command is invoked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:47