Back to skill

Security audit

Dropship Product Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent ecommerce purpose, but it can publish live store products using powerful credentials while the actual pipeline script is not included for review.

Install only after you can inspect the actual pipeline.js implementation. Use a staging WooCommerce store first, run dry-run before any live action, use least-privilege and disposable API keys, confirm product data and supplier mappings manually, and rotate credentials after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to run a pipeline that can upload media and publish products live to WooCommerce, but it does not prominently warn that these actions modify production store data. This creates a real safety risk: a user may execute the provided commands expecting a test workflow and unintentionally create public listings, alter catalog state, or expose incomplete product content on a live storefront.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.