shopify-development
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/shopify_init.pyuses thesubprocess.runfunction to check for the presence of the Shopify CLI by executing theshopify versioncommand. This call is implemented using a static list of arguments and does not use a shell, which is a secure practice that prevents command injection. - [EXTERNAL_DOWNLOADS]: The skill documentation correctly identifies the official Shopify CLI as a prerequisite and provides instructions to install it from the npm registry. These packages are maintained by a well-known vendor (Shopify) and represent standard development dependencies.
- [CREDENTIALS_UNSAFE]: The skill emphasizes security by instructing developers to store Shopify API keys and secrets in environment variables rather than hardcoding them. The
EnvLoaderclass inscripts/shopify_init.pyis designed to securely load these configurations from.envfiles within the agent's environment. - [REMOTE_CODE_EXECUTION]: No patterns of remote code execution, such as piping network downloads directly into a shell, were found in the skill's instructions or scripts.
Audit Metadata