Security Audit
shopify-development
github.com/davila7/claude-code-templatesTrust Assessment
shopify-development received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 2 critical, 2 high, 6 medium, and 1 low severity. Key findings include Arbitrary command execution, Suspicious import: urllib.request, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/web-development/shopify-development/scripts/shopify_init.py:196 | |
| CRITICAL | Data Exfiltration via Malicious SHOP_DOMAIN Override The `EnvLoader` class in `scripts/shopify_init.py` loads environment variables, including `SHOP_DOMAIN`, from `.env` files found not only in the skill's directory but also in its parent (`skills/`) and grandparent (`.agent/`, `.claude/`, etc.) directories. The `SHOP_DOMAIN` variable loaded from these potentially untrusted parent `.env` files is subsequently used by `scripts/shopify_graphql.py` to construct the API endpoint URL (e.g., `https://{shop_domain}/admin/api/...`). If a malicious actor can place a `.env` file in a parent directory, they could set `SHOP_DOMAIN` to their own controlled domain. This would cause the `ShopifyGraphQL` client to send the `access_token` (which is `SHOPIFY_API_KEY` or `SHOPIFY_API_SECRET` loaded from the same `EnvConfig`) to the attacker's server, leading to credential compromise and data exfiltration. Restrict `.env` file loading to the skill's own directory or explicitly define a trusted search path. Alternatively, implement strict validation for `SHOP_DOMAIN` to ensure it matches a legitimate Shopify domain pattern (e.g., `*.myshopify.com`) before use in API calls. | Static | scripts/shopify_init.py:78 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_cli_installed'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/web-development/shopify-development/scripts/shopify_init.py:196 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | cli-tool/components/skills/web-development/shopify-development/scripts/shopify_graphql.py:20 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest>=8.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/web-development/shopify-development/scripts/requirements.txt:7 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest-cov>=4.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/web-development/shopify-development/scripts/requirements.txt:8 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytest-mock>=3.12.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/web-development/shopify-development/scripts/requirements.txt:9 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Global NPM Dependency (Shopify CLI) The `SKILL.md` instructs users to install `@shopify/cli@latest` globally via `npm`. The `scripts/shopify_init.py` then executes `shopify` commands, relying on this global installation. Using `@latest` means the version is unpinned, making it vulnerable to malicious updates if the `latest` tag is compromised. Furthermore, relying on a globally installed command without specifying its exact path or validating its integrity introduces a risk of typosquatting or PATH manipulation, where a malicious executable named `shopify` could be executed instead of the legitimate one. Instruct users to install the Shopify CLI with a pinned version (e.g., `@shopify/cli@3.x.x`) to prevent unexpected or malicious updates. Consider adding a mechanism to verify the integrity or authenticity of the `shopify` executable before running commands, or provide clear instructions on how users can do so. | Static | SKILL.md:39 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/da21bc6297057d73)
Powered by SkillShield