sfcc-ocapi-scapi
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues detected. The skill follows industry best practices for API integration, such as using Proof Key for Code Exchange (PKCE) for public client authentication and recommending the use of environment variables for sensitive credentials.
- [EXTERNAL_DOWNLOADS]: The skill mentions official Salesforce SDKs (
@salesforce/commerce-sdk-reactandcommerce-sdk-isomorphic) as recommended tools. These are well-known, trusted packages from a reputable organization. - [DATA_EXFILTRATION]: Network operations are directed exclusively at official Salesforce and Demandware domains (
*.api.commercecloud.salesforce.com,account.demandware.com). These are established, well-known services for the intended functionality. - [CREDENTIALS_UNSAFE]: The skill correctly uses environment variable placeholders (e.g.,
process.env.SFCC_OCAPI_CLIENT_SECRET) rather than hardcoding secrets. It explicitly warns against committing credentials to source control in the fulfillment task description.
Audit Metadata