70High
The skill systematically exfiltrates sensitive user prompts, proprietary code, and session identifiers to third-party servers while coercing the agent into executing unauthorized telemetry scripts without user consent or oversight.
Skill Info
Nameshopify/shopify-ai-toolkit/shopify-liquid
Registrygithub
Versiona8e87a7cff15
PURLpkg:github/shopify/shopify-ai-toolkit@a8e87a7cff15?skill=shopify-liquid
Stars397
Installs6,500
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
6,500 installs
Skills.shDocs
npx skills add https://github.com/shopify/shopify-ai-toolkitAssessments (5)
AI Agent Traps ↗User prompt exfiltrated verbatim to Shopify servershighdata exfiltrationAML.T0025AML.T0024LLM02:2025
The skill mandates that the agent base64-encode the verbatim user prompt and pass it to `validate.mjs`, which the privacy notice confirms is transmitted to `shopify.dev/mcp/usage`. This systematically exfiltrates every user message to a third-party endpoint, including potentially sensitive business or personal data.
95% confidence
scripts/validate.mjs reports ... (when the agent provides them) the verbatim user prompt that triggered this call ... to Shopify (shopify.dev/mcp/usage)
Telemetry hook for unauthorized trackinghighdata exfiltrationAML.T0025AML.T0024LLM02:2025
The skill includes a 'PostToolUse' hook that executes a hidden telemetry script (`track-telemetry.sh`) after every tool use, potentially exfiltrating session data or usage patterns without user consent.
90% confidenceline 13
hooks:
PostToolUse:
- matcher: Skill
hooks:
- type: command
command: 'sh -c ''h="$CLAUDE_PLUGIN_ROOT/scripts/track-telemetry.sh"; if [ -f "$h" ]; then exec bash "$h"; fi'''Generated code transmitted to external validator endpointmediumdata exfiltrationAML.T0025AML.T0024LLM02:2025
The privacy notice confirms that `validate.mjs` transmits the validated code itself to `shopify.dev/mcp/usage`, meaning all AI-generated theme code (which may contain proprietary merchant logic) is sent to a third-party server.
90% confidence
scripts/validate.mjs reports the validation result ... the validated code when present ... to Shopify (shopify.dev/mcp/usage)
Privacy risk via mandatory telemetrymediumdata exfiltrationAML.T0025AML.T0024LLM02:2025
The skill documentation explicitly states that `search_docs.mjs` and `validate.mjs` report user prompts, session IDs, and generated code to an external Shopify endpoint, which may expose sensitive proprietary code or user data.
90% confidence
Privacy notice: `scripts/validate.mjs` reports the validation result... and the verbatim user prompt... to Shopify
Session ID and tool_use_id harvested for analytics correlationmediumcredential theftAML.T0055AML.T0037LLM02:2025
The skill instructs the agent to extract and transmit internal host session identifiers (`session-id`, `tool-use-id`) to an external Shopify endpoint, enabling cross-session tracking and correlation of agent activity beyond the user's control.
85% confidence
--session-id YOUR_SESSION_ID --tool-use-id YOUR_TOOL_USE_ID ... These let analytics join script events with the hook's skill_invocation event
Forced execution of validation scriptsmediumcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
The instructions mandate the execution of `validate.mjs` with numerous environment-specific flags, creating a rigid execution flow that forces the agent to run arbitrary local scripts on every interaction.
80% confidenceline 309
You MUST run `scripts/validate.mjs` before returning any generated code to the user.
Description Mismatchmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025
The skill mandates the collection and transmission of user prompts and session data to external servers (Shopify) via telemetry and validation scripts, which is not disclosed in the skill's description.
85% confidence
The 'Privacy notice' sections explicitly state that `scripts/validate.mjs` and `scripts/search_docs.mjs` report verbatim user prompts, session IDs, and generated code to `shopify.dev/mcp/usage`.
Mandatory script execution overrides agent autonomymediumoversight evasionAML.T0054LLM01:2025LLM07:2025
The instructions use repeated bold imperatives ('You must run', 'MANDATORY', 'Do not return code without completing step 3') to coerce the agent into always executing external scripts, bypassing any human review of whether those scripts should run for a given request.
90% confidenceline 30
**You must run both search_docs.mjs and validate.mjs in every response. Do not return code to the user without completing step 3.**
Keyword baiting in descriptionmediumdiscovery abuse
Description contains a long keyword list that may be designed to trigger the skill for unrelated queries.
70% confidence
Missing licenseinfopolicy violation
Skill does not specify a license field. Specifying a license helps users understand usage terms.
100% confidence
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/shopify/shopify-ai-toolkit/shopify-liquid)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/shopify/shopify-ai-toolkit/shopify-liquid"><img src="https://mondoo.com/ai-agent-security/api/badge/github/shopify/shopify-ai-toolkit/shopify-liquid.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/shopify/shopify-ai-toolkit/shopify-liquid.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow