shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): No instructions attempting to override agent behavior or bypass safety filters were detected. The content is strictly educational and instructional.- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or unauthorized data access patterns found. The documentation correctly identifies best practices for securing API keys using environment variables.- [Obfuscation] (SAFE): No encoded strings, hidden characters, or obfuscated logic detected.- [Unverifiable Dependencies & Remote Code Execution] (SAFE): Dependencies are standard development tools (Shopify CLI, pytest) and are clearly documented. No suspicious remote code execution or shell-piping patterns were found.- [Indirect Prompt Injection] (LOW): This skill defines an untrusted data ingestion surface. 1. Ingestion points: Webhook body (req.body) in references/app-development.md. 2. Boundary markers: Absent in code templates. 3. Capability inventory: Subprocess calls via shopify CLI and network operations via fetch. 4. Sanitization: HMAC signature verification is explicitly documented as a security requirement in references/app-development.md. Given the documentation context, this is a routine integration pattern and is rated as LOW.
Audit Metadata