shopify
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation explicitly instructs users to run 'curl -sSL https://canifi.com/skills/shopify/install.sh | bash' and 'curl -sSL https://canifi.com/install.sh | bash'. These commands download scripts from an untrusted domain and execute them immediately with shell privileges. This is a classic attack vector that can lead to complete system compromise.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill relies on external scripts hosted on 'canifi.com', which is not a trusted source. Any compromise of the host server or domain would allow an attacker to push malicious updates to all users.
- [CREDENTIALS_UNSAFE] (HIGH): The 'Setup' section prompts users to store sensitive credentials like 'SHOPIFY_PASSWORD' and 'SHOPIFY_EMAIL' using the 'canifi-env' command. Storing passwords in environment variables is a poor security practice as they are often accessible to other processes, logged in shell history, or exposed in error reports.
- [COMMAND_EXECUTION] (MEDIUM): The skill instructions involve executing shell commands ('canifi-env', 'cp', 'curl') to configure the environment, indicating the skill expects and uses shell access capabilities.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/shopify/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata