shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill documentation recommends global installation of the @shopify/cli package. While this is the primary purpose of the skill and the package is the official tool from Shopify, the organization is not on the predefined whitelisted list.
- [COMMAND_EXECUTION] (SAFE): The skill provides standard command-line instructions for Shopify app and theme development. All commands are transparent and align with the stated purpose of the skill.
- [Indirect Prompt Injection] (LOW): The skill template processes external data from Shopify webhooks and APIs, creating a potential attack surface.
- Ingestion points: Webhook payload processing in 'references/app-development.md' and GraphQL response handling.
- Boundary markers: Absent in provided code snippets.
- Capability inventory: Project management and deployment via 'shopify' CLI commands.
- Sanitization: Includes code for verifying HMAC signatures to ensure data integrity and authenticity.
Audit Metadata