Back to skill

Security audit

Shopify Partner

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent, but it gives agents a broad Shopify Partner GraphQL interface that can run mutations while describing itself and its safety model as read-oriented.

Review this skill before installing. It may be useful for Shopify Partner work through OOMOL, and VirusTotal/static scan did not show malware, but users should treat execute_graphql as write-capable, require explicit confirmation for any mutation, and avoid routing broad or sensitive Shopify Partner tasks through it without checking the exact payload and effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest and description present the skill as suitable for 'searching and reading data,' but the documented action surface includes `execute_graphql`, which can run mutations and therefore change Shopify Partner state. This mismatch can mislead an agent or user into invoking a write-capable skill in situations where only read-only behavior was expected, increasing the risk of unauthorized or accidental state changes.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The safety section states that untagged actions are reads, yet `execute_graphql` is untagged while its own description explicitly allows mutations. This creates a direct safety-policy contradiction that can cause automated systems or operators to treat a write-capable action as harmless, enabling accidental execution of destructive or state-changing GraphQL mutations without the expected confirmation barrier.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The phrase 'Use this skill for ANY Shopify Partner request' is overly broad and encourages routing all Shopify Partner tasks through this skill regardless of operation type or risk. In the context of a skill that can execute arbitrary GraphQL, this broad trigger increases the chance that sensitive, state-changing, or poorly scoped requests are sent through a capability-rich interface without sufficient scrutiny.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.