Back to skill

Security audit

Shopify Storefront

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Shopify Storefront connector that can read storefront data and make limited cart changes with user confirmation guidance.

Before installing, understand that this skill lets an agent use your connected OOMOL Shopify Storefront integration to read storefront data and create or modify carts. Confirm cart-changing actions carefully, and only run the one-time CLI install or account connection steps if you trust OOMOL and need this connector.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger language is overly broad because it instructs the agent to use this skill for any Shopify Storefront-related task without narrowing by operation type, trust boundary, or user intent. That increases the chance the agent will invoke the skill in situations where a narrower tool, extra validation, or explicit consent for write operations would be more appropriate, especially since this skill supports state-changing actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.