shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded API keys, tokens, or secrets were found. Code examples correctly demonstrate using environment variables (
process.env.SHOPIFY_API_KEY) and placeholders. - [EXTERNAL_DOWNLOADS] (SAFE): Recommends installing
@shopify/cliand@shopify/themevia npm. These are official, trusted tools provided by the Shopify organization. - [DATA_EXFILTRATION] (SAFE): All network operations (e.g., fetch to
myshopify.comendpoints) are consistent with the skill's stated purpose of interacting with the Shopify API. - [PROMPT_INJECTION] (SAFE): Instructions are technical and educational. No patterns indicative of system prompt extraction or safety guideline bypasses were found.
- [Indirect Prompt Injection] (LOW): The skill handles data from external APIs (Shopify Admin API).
- Ingestion points: Data enters via
graphqlRequestand webhook endpoints (/webhooks/orders/create). - Boundary markers: Not explicitly defined in code snippets, as they are generic development patterns.
- Capability inventory: Subprocess calls are limited to the
shopifyCLI via the provided workflow instructions. - Sanitization: The skill includes mandatory security practices such as
verifyWebhook(HMAC validation) and OAuth state verification to ensure data integrity.
Audit Metadata