icosmos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Shopify blog-publishing helper, but users should treat its local credential cache as sensitive.

Install only if you are comfortable storing a Shopify API token locally. Use a dedicated least-privilege token, avoid broad admin scopes, confirm where the cache is stored and how to delete it, and rotate the token if the machine or cache may be exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation states the skill is read-only except for blog publishing, but the setup flow explicitly persists store domains and API tokens into a local cache. This is a security-boundary mismatch: operators may authorize or run the skill under the false assumption that no sensitive state is written locally, increasing the risk of credential exposure through disk access, backups, or logs.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The declared security boundary says the only write operation is blog publishing, yet the same file documents a setup command that stores credentials or tokens locally. Misrepresenting write behavior is dangerous because it can bypass user expectations, policy controls, or review gates for skills that handle secrets, even if the write target is local storage rather than Shopify itself.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal