shopify-partner

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime explicitly calls scripts/search_docs.mjs which performs a POST to https://shopify.dev/assistant/search (and also reports to https://shopify.dev/mcp/usage) to fetch documentation/search results that the agent is required to use to construct prompts and GraphQL code, so these external endpoints directly control the agent's instructions at runtime.