shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- External Downloads (SAFE): The skill instructs the user to install
@shopify/cliand related packages from npm. These are official development tools from Shopify, a trusted platform provider. - Indirect Prompt Injection (LOW): The skill provides GraphQL query patterns to fetch data such as product descriptions, order notes, and customer details. This external data could contain malicious instructions designed to influence an AI agent's behavior.
- Ingestion points:
references/app-development.md(GraphQL queries for orders, products, and metafields). - Boundary markers: Absent; code snippets do not include delimiters or warnings to ignore embedded instructions in the fetched data.
- Capability inventory: The skill facilitates network operations via
fetchto interact with the Shopify API. - Sanitization: No sanitization or validation logic is provided for the data retrieved from external API calls.
Audit Metadata