shopify
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses an attack surface for Indirect Prompt Injection. It is designed to ingest and process data from external sources such as the Shopify GraphQL/REST APIs and incoming Webhook payloads (Ingestion points). Simultaneously, the skill has high-impact capabilities including
shopify app deploy,shopify theme push, and managing local tunnels (Capability inventory). There are no defined boundary markers or sanitization routines provided in the skill instructions to prevent malicious content within API responses or webhooks from manipulating agent logic during a deployment workflow. - External Downloads & Unverifiable Dependencies (MEDIUM): The skill requires the installation of
@shopify/cliand various React-based UI extensions. As 'Shopify' is not included in the 'Trusted GitHub Organizations' or 'Trusted GitHub Repositories' lists, these downloads are classified as unverifiable external dependencies. - Command Execution (MEDIUM): The skill utilizes numerous CLI commands (
shopify app init,shopify app dev,shopify theme push) that involve subprocess execution and remote environment modification. Additionally, it references a local scriptscripts/shopify_init.pywhich was not provided for analysis, making its actual behavior unverifiable. - Data Exposure (LOW): The skill provides guidance on storing credentials in environment variables (Best Practice), but the core functionality involves managing sensitive merchant and customer data (PII) via APIs, which requires strict adherence to data handling policies.
Recommendations
- AI detected serious security threats
Audit Metadata