shopify-automation

The YAML describes a legitimate‑looking Shopify automation skill that intentionally routes all API access through a third‑party MCP (https://rube.app/mcp). The file itself is declarative and contains no hardcoded credentials or embedded executable code, so there is low evidence of intrinsic malware in the fragment. However, the architecture centralizes OAuth tokens and all Shopify traffic at the MCP, creating a material supply‑chain and data‑exposure risk: the MCP operator or a compromised MCP can read, persist, or modify sensitive data and act with granted privileges. Before deploying, verify the MCP operator's trustworthiness (privacy policy, retention, encryption, personnel controls), request least‑privilege OAuth scopes, require explicit per‑action confirmations for destructive operations, and prefer direct Shopify integrations if MCP trust cannot be established.