Shopline

Security checks across malware telemetry and agentic risk

Overview

This Shopline skill is transparent about using Membrane, but it can modify live store data and delete products without documented confirmation safeguards.

Install only if you intend to let an agent access and potentially change your Shopline store through Membrane. Use least-privilege credentials, test on a non-production store first when possible, and require explicit confirmation before any create, update, delete, order-changing, customer-changing, or raw proxy API request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents a destructive `delete-product` capability without any guidance to require confirmation, preview affected records, or limit use to clearly authorized user requests. In an agentic context, this increases the chance of accidental or overly broad destructive actions against a live storefront.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal