ClawHub

Maverick Shopify Mcp

Security checks across malware telemetry and agentic risk

Overview

This Shopify skill appears legitimate, but it gives an agent broad Shopify admin power that can read sensitive commerce data and change live store content.

Install only if you intend to give the agent admin-capable Shopify access. Use a narrowly scoped Shopify token, avoid production write permissions unless needed, and require explicit human approval before product mutations or raw admin_graphql calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly relies on environment variables and outbound network access to communicate with Shopify, yet no permissions are declared. This creates a transparency and governance gap: operators and policy engines cannot accurately assess or constrain what the skill can access, which is especially risky because it handles commerce data and admin credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as general Shopify search/read/work support, but the observed behavior includes product creation, updates, and arbitrary Shopify Admin GraphQL queries and mutations. That mismatch is dangerous because users or orchestrators may invoke it under a lower-risk assumption while it actually has broad write and arbitrary API execution capability against a live commerce backend.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata emphasizes searching/reading Shopify commerce data, but the code exposes write-capable productCreate and productUpdate tools. This capability expansion is risky because an agent or user may invoke store-modifying operations without expecting destructive side effects, leading to unauthorized or accidental changes to production catalog data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The admin_graphql tool allows arbitrary Shopify Admin GraphQL queries and mutations, which is far broader than the declared purpose of searching and working with Shopify data. In practice this becomes a universal admin primitive that can read or modify any resource permitted by the token, bypassing any safety constraints implied by the narrower helper tools.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The create_product and update_product tools perform remote write operations against the Shopify store without any built-in confirmation or policy guardrails. In an agent setting, hidden write effects are dangerous because prompt injection, tool misuse, or user misunderstanding can lead to unintended modifications of live commerce data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal