Scan Report
15 /100
icosmos-shopify
Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)
This is a documentation-only package (SKILL.md) with no executable code. Declared capabilities are reasonable for a Shopify read-only diagnostic tool with one documented write operation.
Safe to install
Request the actual implementation code/binary before trusting. The skill references a local `./icosmos-shopify` binary that does not exist in this package.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Package contains no executable code Doc Mismatch | SKILL.md:40 |
| Low | User credentials stored to environment variables Sensitive Access | SKILL.md:36 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No code to analyze |
| Network | READ | READ | ✓ Aligned | Shopify API calls declared in SKILL.md |
| Shell | NONE | NONE | — | References ./icosmos-shopify binary but file absent |
| Environment | READ+WRITE | READ+WRITE | ✓ Aligned | SKILL.md line 36: '两个字段需要保存到系统环境变量' |
| Database | READ | READ | ✓ Aligned | Supabase sync declared in setup flow |
| Skill Invoke | NONE | NONE | — | N/A |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
3 findings
Medium External URL 外部 URL
https://shopify.dev/docs/api/admin-graphql/latest SKILL.md:76 Medium External URL 外部 URL
https://shopify.dev/docs/api/admin-rest/latest SKILL.md:77 Medium External URL 外部 URL
https://shopify.dev/docs/api/storefront/latest SKILL.md:78 File Tree
1 files · 4.1 KB · 79 lines Markdown 1f · 79L
└─
SKILL.md
Markdown
Security Positives
✓ Declares read-only default; write operations limited to blog publish with --confirm flag
✓ Token sanitization declared: only first/last 4 characters shown in logs
✓ Sensitive order fields (email) masked by default
✓ No base64-encoded payloads, no curl|bash, no direct IP calls observed in docs
✓ No suspicious IOCs in documentation (legitimate Shopify dev URLs only)