The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documents the requirement for the shopify CLI tool, specifically for authentication (shopify auth login). This is a legitimate and expected prerequisite for a skill interacting with Shopify's administrative environment.
[PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection by ingesting untrusted data from the Shopify API. 1. Ingestion points: The orders GraphQL query in SKILL.md fetches order names and status data. 2. Boundary markers: No delimiters or specific 'ignore' instructions are used for the retrieved data. 3. Capability inventory: The skill has the ability to perform GraphQL mutations (fulfillmentOrderHold, fulfillmentOrderReleaseHold) and generate session tracking reports. 4. Sanitization: No explicit sanitization or validation of the retrieved API content is described. While no active exploitation is present, malicious data within a Shopify store could attempt to influence the agent's output formatting or behavior.

shopify-admin-order-hold-and-release