shopify-developer
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill references the installation of the
@shopify/clipackage and the use ofnpx shopify hydrogen. Because the@shopifyorganization is not included in the predefined list of trusted external sources, these are classified as unverifiable dependencies. - COMMAND_EXECUTION (MEDIUM): The documentation for Shopify Functions includes build commands such as
cargo wasi buildandnpx javy compile. This involves the runtime compilation of source code into executable WebAssembly modules, which carries inherent risks if the source code or build tools are compromised. - CREDENTIALS_UNSAFE (LOW): Several reference files mention sensitive environment variables such as
SESSION_SECRETandPRIVATE_STOREFRONT_API_TOKEN. However, these are documented using descriptive placeholders (e.g., 'your-secret') rather than actual hardcoded secrets, adhering to safe documentation practices.
Audit Metadata