shopify-admin-delivery-time-analysis
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is strictly limited to read-only operations using the Shopify GraphQL API (orders:query and fulfillmentOrders:query). It fetches timestamps and carrier information to calculate transit durations and does not include any mutations, remote code execution, or data exfiltration mechanisms.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes data retrieved from the Shopify API, such as order names and carrier company names. However, the risk is negligible as the skill performs deterministic arithmetic calculations and outputs data to a local CSV file rather than interpreting the data as instructions.
- Ingestion points: External data enters through GraphQL queries for orders and fulfillment information.
- Boundary markers: The skill does not implement explicit delimiters to separate external data from its internal instructions.
- Capability inventory: The skill has the capability to write a local CSV file ('delivery_analysis_.csv').
- Sanitization: There is no explicit sanitization of API data, but the logic is limited to timestamp subtraction and statistical aggregation.
Audit Metadata