shopify-products

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes curl/GraphQL examples that embed an X-Shopify-Access-Token header and lists an Admin API access token as a prerequisite, which implies the agent must insert the secret verbatim into requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (SKILL.md, "Step 1: Gather Product Data") explicitly accepts "Website scraping (user provides a URL to extract from)" and allows using public image URLs and scraped page content when building product fields, meaning the agent will fetch and interpret arbitrary public web content that could contain untrusted, user-generated instructions affecting automated product-creation actions.