shopify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill instructs the installation of @shopify/cli@latest and various development dependencies. Because the Shopify organization is not explicitly on the pre-defined trusted list and the installation uses the unpinned '@latest' tag, it is classified as an unverifiable external dependency. The severity is reduced to LOW because these tools are essential for the skill's primary purpose.
- [COMMAND_EXECUTION] (SAFE): The skill documents standard Shopify CLI commands for project management. While SKILL.md references a 'scripts/shopify_init.py' file that was not included in the payload, no evidence of malicious command construction was found in the provided instructions.
- [DATA_EXFILTRATION] (SAFE): Code examples in the documentation follow industry standards by recommending environment variables for API credentials and HMAC signature verification for webhooks, preventing accidental data exposure.
Audit Metadata