Security audit

Shopify Link Checkout

Security checks across malware telemetry and agentic risk

Overview

This skill is openly designed to make real Shopify purchases, but it handles payment data unsafely and includes automation-bypass behavior without enough user-controlled safeguards.

Install only after careful review. Use an isolated environment, avoid passing card/CVC or personal data on the command line, require a human confirmation of merchant, item, quantity, shipping address, total price, and payment method immediately before purchase, and remove automation-bypass behavior that circumvents merchant protections.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The activation phrases are broad enough to match ordinary shopping-related requests, which increases the chance that the skill is invoked when the user did not intend to authorize an autonomous purchase workflow. In this skill’s context, unintended invocation is especially dangerous because the documented workflow culminates in order placement and handling of payment and personal shipping data.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises autonomous purchasing and order completion without prominently warning that checkout is irreversible once "Pay now" is clicked and that sensitive payment and personal data will be used in the process. In a purchasing skill, omission of those warnings materially increases the risk of users authorizing actions without understanding that real funds, identity data, and shipping details are being transmitted to third parties.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The guidance explicitly recommends '--disable-blink-features=AutomationControlled' and a realistic user agent, which are common anti-detection techniques intended to conceal browser automation from websites. In the context of an autonomous purchasing skill, this increases risk by facilitating stealthy interaction with merchant checkouts and can bypass fraud, bot, or consent signals that sites rely on.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script automatically clicks the final "Pay now" button and explicitly notes that the click is the purchase, but it provides no last-step confirmation, dry-run mode, or safety interlock. In an autonomous purchasing skill, this makes accidental or prompt-induced unauthorized purchases far more likely, especially because the tool is designed to act end-to-end with stored buyer and payment data.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script accepts full card number, expiry, CVC, and buyer PII directly on the command line, which exposes secrets to shell history, process listings, job logs, and debugging/telemetry systems on the host. Because this skill is specifically intended for autonomous purchasing, the combination of payment data and address data materially increases the risk of credential theft, fraud, and privacy compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal