shopify-development

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill clearly fetches and ingests external, potentially untrusted merchant data from third‑party Shopify stores (e.g., scripts/shopify_graphql.py posts to https://{shop}/admin/api/2026-01/graphql.json and references/extensions.md show fetches/useApi sessionToken to call external APIs), and those responses (products, orders, metafields, tags) are parsed and used to drive actions (pagination, fulfillment, metafield updates, discount logic), so untrusted content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly references billing and payment-related capabilities: it mentions "billing", "billing API integration" and "GraphQL mutations for ... billing" (references/app-development.md), Checkout/Shopify Functions for "discounts/payment/delivery", and order-read/write scopes. These are specific Shopify APIs and functions used to create and manage charges/checkout behavior (i.e., directly initiate or manage payments/billing). That meets the definition of direct financial execution authority.