Ned - Shopify Profit Analytics AI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Ned Shopify analytics connector that uses a user-provided API key to query Ned’s API, with no hidden persistence or unrelated data access found.

Install this only if you want your agent to access Ned-connected Shopify analytics. Use a revocable or least-privileged Ned API key if available, avoid exposing the key in shared terminals or logs, and be cautious when asking for customer-level or churn-risk data in shared chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are very broad, covering common ecommerce questions like revenue, sales, products, customers, and general store performance. This increases the chance the skill is invoked in routine conversations where the user did not intend external API access or disclosure of sensitive business analytics.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup asks the user to export a live API key but provides no warning about secure storage, redaction, rotation, or avoiding exposure in logs and shell history. Because the key grants access to sensitive store profitability and customer data, poor handling could lead to credential theft and downstream data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal