shopify-apps

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] Benign documentation and example code for a Shopify app skill. Code and capabilities are generally consistent with the stated purpose. Primary concerns are misuse risks rather than clear malicious behavior: (1) storing API keys in metafields (anti-pattern) — sensitive data should be kept in environment variables or secure server-side storage, (2) checkout extension network_access can be used to send shop/order context to third parties — ensure extensions do not leak identifying data or secrets and audit external endpoints. No evidence of obfuscated or malicious code present in this fragment. LLM verification: This Skill file describes a standard Shopify app scaffold and contains code and instructions consistent with that purpose. The requested credentials, file access, and network calls align with expected behavior for a Shopify app: configuring the app with SHOPIFY_API_KEY/SECRET, authenticating requests and webhooks, calling the Admin GraphQL API, and storing sessions in Prisma. The static scanner flags are false-positives in context (placeholders, template strings, legitimate npm install instructi