shopify-admin-sales-by-channel-report
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is a read-only reporting tool for Shopify, using the official shopify-admin toolkit and requiring standard read_orders permissions. It does not perform any mutations or access local sensitive files.
- [COMMAND_EXECUTION]: The skill invokes the official shopify CLI for authentication (shopify store auth), which is a verified and safe practice for this integration.
- [PROMPT_INJECTION]: The skill processes data from the Shopify GraphQL API (SKILL.md) to generate summaries and CSV files. This creates an indirect prompt injection surface where external data enters the agent context. Evidence chain: 1. Ingestion point: Shopify GraphQL API orders query. 2. Boundary markers: Absent. 3. Capability inventory: File writing (CSV) and console output. 4. Sanitization: Absent. The risk is considered low given the nature of the numeric and predefined data fields processed.
Audit Metadata