icosmos shop
Security checks across malware telemetry and agentic risk
Overview
This Shopify skill is coherent, but it depends on an unreviewed local CLI to handle account credentials, cached store tokens, order data, and public blog publishing.
Install only if you trust the publisher and can verify the icosmos-shopify CLI separately. Use least-privilege Shopify permissions, avoid broad order exports, confirm where tokens are cached and how to revoke them, and manually review the store, blog ID, title, and body before using --confirm.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
63/63 vendors flagged this skill as clean.