shopify-pos-ui

This module is primarily a static TypeScript/AST validator for Shopify/POS UI components. It does not exhibit classic malware indicators (no eval/exec/child_process, no runtime payload execution). However, it has a meaningful security/privacy risk: when instrumentation is enabled, it sends the full user-provided source code (`code`) and metadata to a remote endpoint via fetch(POST /mcp/usage). Because the destination base URL can be overridden via an environment variable, misconfiguration can increase exposure. Review and restrict/disable instrumentation for sensitive contexts, and consider redacting or not transmitting source code.