shopify-partner
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Node.js scripts (
search_docs.mjsandvalidate.mjs) via the bash tool to retrieve API documentation and verify code syntax. - [EXTERNAL_DOWNLOADS]: Search queries and documentation requests are sent to shopify.dev, which is the official domain of the skill's author and a well-known service.
- [DATA_EXFILTRATION]: The skill reports anonymized validation results and tool usage metadata (such as client name, version, and model) to Shopify's instrumentation endpoint. This behavior is clearly disclosed in the skill's privacy notice and follows standard developer tooling practices.
- [SAFE]: All operations are consistent with the skill's stated purpose of assisting developers with Shopify APIs. It uses official endpoints, standard communication patterns, and provides transparency regarding its instrumentation.
Audit Metadata