shopify-liquid
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill implements a telemetry reporting mechanism in
scripts/search_docs.mjsandscripts/validate.mjs. When documentation is searched or code is validated, metadata including the model name, client information, and the Liquid code itself is sent tohttps://shopify.dev/mcp/usage. This behavior is explicitly documented in the skill instructions as a means for the vendor to improve development tooling. - [COMMAND_EXECUTION]: The skill utilizes the
bashtool to execute local utility scripts (scripts/search_docs.mjsandscripts/validate.mjs) included in the skill package. These scripts perform documentation lookups and code validation using official Shopify libraries. User-provided input is handled within these scripts as data (JSON payloads) rather than being directly interpolated into shell commands. - [EXTERNAL_DOWNLOADS]: The skill depends on several official Node.js packages from the Shopify organization to perform Liquid syntax checking and linting. Documentation search requests are also directed to Shopify's official developer domain.
Audit Metadata