Shopline Builder

Security checks across malware telemetry and agentic risk

Overview

This SHOPLINE automation appears purpose-aligned, but it needs Review because it contradicts its browser-isolation promise and can make live store and credential-related changes without enough user control.

Install only if you are comfortable with an assistant operating a live SHOPLINE admin session and making storefront, checkout, shipping, and migration changes. Before use, require the skill to stay in an isolated browser, keep all products/settings in draft until you approve exact values, and never paste payment or platform secrets into chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill instructs the agent to fabricate and publish a product listing, including title, description, price, stock, and imagery, without explicit user-provided product data or final approval. This can cause unauthorized store modifications, false advertising, copyright/licensing issues, and business or legal harm because the agent is making material commercial representations on the user's live storefront.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: The skill executes shell commands to fetch external assets to the local filesystem, expanding capability from browser automation into arbitrary command execution and network egress. Even if used here for images, this pattern increases risk of abuse, supply-chain dependency on external content, and downloading unvetted material into the automation environment.

Scope Creep

Critical

Confidence: 99% confidence
Finding: The manifest says the skill uses only an isolated openclaw browser and does not access the user's browser context, but these instructions explicitly switch to profile="user" for logged-in operations. That breaks the stated trust boundary and can expose user session data, cookies, and broader browser context beyond the declared sandbox, creating a serious permission and privacy violation.

Scope Creep

High

Confidence: 95% confidence
Finding: The migration flow fetches a signed app-install URL and pivots into a cross-domain app hosted outside the declared SHOPLINE admin sandbox scope. This broadens access and trust assumptions, especially when paired with credential handling and hidden-field manipulation, and can expose users to unintended third-party contexts not clearly covered by the manifest.

Intent-Code Divergence

Critical

Confidence: 99% confidence
Finding: The documentation explicitly promises the skill will always use openclaw and never use profile="user", yet later procedures require profile="user". This mismatch is dangerous because it defeats informed consent: users and reviewers are told one security boundary exists while the skill actually operates with broader access.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill plans to generate and publish product content and imagery to a live store without clearly warning the user upfront that it will make externally visible business changes. In a commerce admin context, silent modification of catalog content is especially dangerous because it can create public listings, pricing, and claims the merchant did not authorize.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Payment and shipping settings are critical store controls with direct operational and financial consequences, yet the skill proposes changing them automatically without a robust confirmation step. In this context, even well-intentioned automation can misconfigure checkout, create regulatory or customer-service issues, and affect order acceptance.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to generate and enter WooCommerce API credentials, but it does not clearly warn that these secrets are sensitive, should only be entered into the official migration app, and must never be pasted into chat or shared with an agent. In an AI-assisted workflow, that omission increases the risk of credential disclosure or reuse beyond the intended system, potentially exposing store data even if the example requests read-only scope.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Shoplazza flow tells users to create and provide an API token without warning that the token is effectively a secret granting platform access. Because this skill is designed for AI-guided execution, users may infer the assistant is an acceptable place to share the token, creating a realistic path to credential leakage and unauthorized store access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Telling users to input a Stripe API Key without any warning is more dangerous than ordinary setup guidance because Stripe keys are highly sensitive financial credentials that can enable unauthorized access to payment operations and customer/payment data, depending on key scope. In the context of an AI skill that walks users through actions, the lack of a prohibition on sharing keys with the assistant materially raises the chance of secret exfiltration.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill instructs the user to paste a Shopify Client ID and Secret into chat so the agent can use them. Collecting secrets through chat unnecessarily exposes credentials to the assistant pipeline and logs, and in this context those secrets can authorize access to sensitive store migration capabilities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal