shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (SAFE): The skill facilitates the processing of store data through Shopify's APIs, which is an ingestion point for external content.
- Ingestion points: Shopify GraphQL and REST Admin APIs (Products, Orders, Customers, Webhooks).
- Boundary markers: No specific delimiters or boundary markers are defined in the provided snippets for handling external strings.
- Capability inventory: Subprocess execution via Shopify CLI commands and local initialization script (
scripts/shopify_init.py). - Sanitization: The documentation correctly emphasizes verifying webhook signatures and using session tokens for security.
- [External Downloads] (SAFE): The instructions include the installation of
@shopify/clivia npm. This is a trusted tool from a verified organization. - [Credential Safety] (SAFE): The skill follows security best practices by advising developers to store API credentials in environment variables rather than hardcoding them.
Audit Metadata