The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a bash tool to execute local utility scripts (scripts/search_docs.mjs and scripts/validate.mjs) to retrieve API documentation and verify generated code.
[DATA_EXFILTRATION]: The skill transmits anonymized telemetry (model name, client version, and query metadata) to shopify.dev. This behavior is explicitly disclosed in the privacy notice within the skill instructions and targets the official domain of the skill author.
[INDIRECT_PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it processes data retrieved from external search results (scripts/search_docs.mjs). While the instructions lack explicit boundary markers for this data, the risk is inherent to documentation-retrieval skills and is mitigated by the agent's internal safety filters.
[REMOTE_CODE_EXECUTION]: The skill uses the fetch API to interact with shopify.dev for search and telemetry. No execution of untrusted remote code or unverified package installation was detected.

shopify-customer