registry  /  @cnr-mtsn/shopify  /  3.0.0

@cnr-mtsn/shopify@3.0.0

⚠ Under review

Shopify developer CLI suite — interactive Ink launcher for theme dev setup, Node/Express app scaffolding, and Admin GraphQL queries

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 31.5 KB of source

Source & flagged code

1 flagged · loading source
templates/node-app/src/config/shopify.jsView file
9const requiredEnvVars = ['SHOPIFY_CLIENT_ID', 'SHOPIFY_CLIENT_SECRET']; L10: const missingVars = requiredEnvVars.filter((varName) => !process.env[varName]); L11: if (missingVars.length > 0) { ... L51: try { L52: const response = await fetch(`https://${shop}/admin/oauth/access_token`, { L53: method: 'POST', L54: headers: { 'Content-Type': 'application/json' }, L55: body: JSON.stringify({ L56: client_id: process.env.SHOPIFY_CLIENT_ID, ... L62: if (!response.ok) { L63: const errorText = await response.text(); L64: const error = new Error(`Failed to get access token: ${response.status}`);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

templates/node-app/src/config/shopify.jsView on unpkg · L9

Findings

1 Critical2 Medium4 Low
CriticalCredential Exfiltrationtemplates/node-app/src/config/shopify.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings