ClawHub

Shopify Bulk Upload

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Shopify bulk-upload skill, but it can make live catalog changes and should be used carefully with trusted inputs and a protected Shopify token.

Install only if you intend to let this skill make Shopify product and inventory changes. Use a least-privilege Shopify app token, keep it out of source control and shared logs, test on a development store or with draft products first, back up/export your catalog, and only run trusted CSV/Excel files because image URLs can trigger network requests from your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes running a bulk uploader and lists output artifacts, but it does not clearly warn that execution can create or modify live products, prices, images, and inventory in a Shopify store at scale. In this context, the omission is dangerous because a user may treat the tool as a dry-run or low-risk import utility and accidentally cause large-scale catalog corruption or inventory changes in production.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place a Shopify access token in a `.env` file but does not warn that the token is a sensitive credential with write access to products and inventory. That omission increases the risk of credential leakage through source control, logs, screenshots, shared archives, or reuse in unsafe environments, which could enable unauthorized modification of the store.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal