Back to skill

Security audit

WeChat to Shopify Blog

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated Shopify blog-draft purpose, but its setup can expand Shopify permissions and app configuration beyond what the workflow clearly needs.

Review the requested Shopify scopes before installing or running setup. Use the minimum permissions needed for blog drafts and image uploads, avoid granting theme or product write access unless you separately need it, and confirm before any global npm install or Shopify app deploy step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide mandates additive-only scope growth across all skills and even recommends a broad fallback scope set unrelated to this skill’s stated purpose of converting WeChat articles into Shopify blog drafts. That violates least-privilege and can cause this skill onboarding to expand an app’s permissions far beyond blog/article needs, increasing blast radius if the app, agent, or credentials are compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documented 'broadest safe set' includes product, file, and theme permissions that do not match the described workflow. Embedding unrelated management capabilities into shared onboarding creates avoidable privilege expansion and makes later compromise materially more damaging.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Path A recommends product and file API scopes even though the skill is for article extraction, adaptation, media upload, and draft blog creation. Requesting product write access without a functional need gives the agent power to alter store catalog data unrelated to the user’s requested task.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script retrieves the entire Shopify product catalog via paginated GraphQL queries even though the stated skill purpose is converting a WeChat article into a Shopify blog draft. This creates unnecessary data exposure and over-collection risk: running the skill grants it access to product titles, descriptions, pricing, tags, collections, media, and URLs unrelated to the requested article conversion task.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script fetches and parses the storefront homepage metadata, which is outside the manifest's described behavior. Although the target is the store's own primary domain rather than an arbitrary external host, it still performs undeclared network access and collects extra contextual data without clear necessity for converting a blog article.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs the agent to silently run global package installation and app deployment commands that can modify the local system and a remote Shopify app configuration. Performing these actions without explicit, contextual user consent is dangerous because it can change account permissions, install software globally, and affect other skills sharing the same app.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.