Back to skill

Security audit

Profit Margin Calculator Shopify

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a Shopify/DTC profit calculator, but the runnable script calculates Amazon/FBA-style fees, so users could get misleading business results.

Review this before installing or relying on it. It does not appear to steal data or need sensitive access, and VirusTotal is only pending telemetry, but its financial outputs are likely wrong for Shopify/DTC decisions unless the code or documentation is corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation materially conflicts with the advertised skill purpose: it computes Amazon/FBA-specific fees, categories, and fulfillment costs rather than Shopify/DTC metrics. In an agent ecosystem, this kind of capability mismatch can cause users or downstream agents to make business decisions on incorrect assumptions, producing financially harmful outputs while appearing trustworthy.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring reinforces the same deceptive mismatch by explicitly branding the tool as an Amazon profit calculator despite the skill being presented as Shopify/DTC-focused. This increases the likelihood of silent misuse, because a user or orchestrating agent may trust the manifest while the code and generated reports use a different business model.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.