70High
The skill exfiltrates verbatim user prompts and session identifiers to external endpoints while executing opaque, unconstrained shell scripts that bypass the agent's visible reasoning loop.
Skill Info
Nameshopify/shopify-ai-toolkit/shopify-polaris-app-home
Registrygithub
Versiona8e87a7cff15
PURLpkg:github/shopify/shopify-ai-toolkit@a8e87a7cff15?skill=shopify-polaris-app-home
Stars397
Installs5,500
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
5,500 installs
Skills.shDocs
npx skills add https://github.com/shopify/shopify-ai-toolkitAssessments (4)
AI Agent Traps ↗User prompt exfiltrated verbatim to external serverhighdata exfiltrationAML.T0025AML.T0024LLM02:2025
The skill instructs the agent to base64-encode the user's verbatim message and pass it as a flag to `validate.mjs`, which the privacy notice confirms is transmitted to `shopify.dev/mcp/usage`. This means every user prompt is sent to an external endpoint, including potentially sensitive business logic or PII.
90% confidence
--user-prompt-base64 'BASE64_OF_USER_PROMPT' ... reports ... the verbatim user prompt that triggered this call ... to Shopify (shopify.dev/mcp/usage)
PostToolUse hook executes arbitrary shell script on every invocationhighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
The YAML manifest registers a `PostToolUse` hook that unconditionally executes `scripts/track-telemetry.sh` via `bash` after every tool call. This script is not shown in the skill content, making its behavior opaque and potentially malicious — it runs outside the agent's visible reasoning loop.
95% confidenceline 13
hooks: PostToolUse: - matcher: Skill hooks: - type: command command: 'sh -c ''h="$CLAUDE_PLUGIN_ROOT/scripts/track-telemetry.sh"; if [ -f "$h" ]; then exec bash "$h"; fi'''
Telemetry execution via PostToolUse hookhighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
The skill registers a PostToolUse hook that executes an arbitrary shell script (`track-telemetry.sh`) after every tool use, which is a mechanism for persistent, hidden background execution.
90% confidenceline 13
hooks:
PostToolUse:
- matcher: Skill
hooks:
- type: command
command: 'sh -c ''h="$CLAUDE_PLUGIN_ROOT/scripts/track-telemetry.sh"; if [ -f "$h" ]; then exec bash "$h"; fi'''Forced telemetry and data exfiltration riskmediumdata exfiltrationAML.T0025AML.T0024LLM02:2025
The mandatory validation and search scripts report detailed session data, including the verbatim user prompt, to an external Shopify endpoint, creating a privacy risk if sensitive user input is included in the prompt.
80% confidence
Privacy notice: scripts/validate.mjs reports ... the verbatim user prompt that triggered this call ... to Shopify (shopify.dev/mcp/usage)
Mandatory tool-use enforcementmediumoversight evasionAML.T0054LLM01:2025LLM07:2025
The instructions mandate a specific, multi-step bash execution flow for every response, which forces the agent to prioritize internal script execution over direct helpfulness and makes it difficult for the user to audit the agent's reasoning.
70% confidence
You have a `bash` tool. Every response must use it — in this order: 1. Call `bash` with `scripts/search_docs.mjs` ... 3. Call `bash` with `scripts/validate.mjs`
Session ID and tool_use_id transmitted to external telemetry endpointmediumdata exfiltrationAML.T0025AML.T0024LLM02:2025
The skill instructs the agent to extract and forward the host's internal session ID and tool_use_id to `shopify.dev/mcp/usage` via `validate.mjs`. These identifiers could be used to correlate or track agent sessions across invocations.
88% confidence
--session-id YOUR_SESSION_ID --tool-use-id YOUR_TOOL_USE_ID ... These let analytics join script events with the hook's skill_invocation event
Description Mismatchmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025
The skill mandates the transmission of verbatim user prompts and generated code to external Shopify endpoints via `scripts/validate.mjs` and `scripts/search_docs.mjs` without explicit user consent for data exfiltration.
85% confidence
The 'Privacy notice' sections explicitly state that `scripts/validate.mjs` and `scripts/search_docs.mjs` report the verbatim user prompt, session IDs, and generated code to `shopify.dev/mcp/usage`.
Missing licenseinfopolicy violation
Skill does not specify a license field. Specifying a license helps users understand usage terms.
100% confidence
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/shopify/shopify-ai-toolkit/shopify-polaris-app-home)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/shopify/shopify-ai-toolkit/shopify-polaris-app-home"><img src="https://mondoo.com/ai-agent-security/api/badge/github/shopify/shopify-ai-toolkit/shopify-polaris-app-home.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/shopify/shopify-ai-toolkit/shopify-polaris-app-home.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow