WooCommerce Order Guard

Security checks across malware telemetry and agentic risk

Overview

This WooCommerce automation is disclosed and purpose-aligned, but it can automatically change live customer order shipping data without a dry-run, confirmation step, or reliable write-failure handling.

Install only if you intentionally want this skill to update live WooCommerce orders. Use a dedicated least-privilege WooCommerce key, test on staging first, review which billing fields will be copied into shipping, and consider adding dry-run, approval, logging, and PUT error handling before running it on a production cron or connecting it to fulfillment automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description presents the automation as a convenience feature but does not clearly warn that it performs write operations against live WooCommerce orders by copying billing data into shipping fields. This can cause unintended modification of customer order records, create privacy/compliance issues, and lead operators to run the skill in production without understanding that it mutates store data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal