Back to skill

Security audit

Shopify Expert

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Shopify development skill that clearly discloses its API and credential requirements and does not include executable code or hidden persistence.

Install this only for agents you trust to work with your Shopify store. Use least-privilege Shopify tokens, prefer a dev store for testing, verify current Shopify API docs before production changes, and require explicit human approval before refunds, deletes, inventory changes, customer-data access, or bulk mutations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file documents high-risk operations including deleting products/customers, creating refunds, changing inventory, and accessing customer/order data without an explicit safety banner or consent requirements. In an agent skill context, omission of warnings can normalize unsafe execution and increase the chance an agent or user treats destructive examples as routine actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.