shopify-developer
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: No malicious instructions, jailbreak attempts, or safety bypass patterns were detected. The content is strictly educational.
- [DATA_EXPOSURE_AND_EXFILTRATION]: All sensitive parameters (API keys, access tokens) are represented by standard documentation placeholders such as 'shpat_...', '{public_token}', and '{api_key}'. No actual credentials or sensitive local file paths are exposed.
- [OBFUSCATION]: No obfuscated code or hidden characters were found. The mention of Base64 encoding/decoding is limited to standard Liquid filters used in the Shopify platform.
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Dependencies and tools referenced include the official Shopify CLI and the Anthropic MCP server for Shopify development. These originate from well-known services or trusted organizations and are considered safe.
- [PRIVILEGE_ESCALATION]: The skill uses standard package managers (npm, brew) for tooling installation without requesting elevated permissions or using insecure command flags.
- [PERSISTENCE_MECHANISMS]: No attempts to modify shell profiles, system services, or scheduled tasks were detected.
- [METADATA_POISONING]: Metadata fields are accurate and consistent with the provided technical content.
- [INDIRECT_PROMPT_INJECTION]: The skill documents webhooks and app proxies, which represent external data ingestion points. It explicitly mitigates these risks by providing code examples for HMAC verification and HTML sanitization.
- Ingestion points: Webhook routes and App Proxy endpoints in app-development.md.
- Boundary markers: Standard HTTP headers and JSON boundaries are utilized.
- Capability inventory: GraphQL API mutations and local database operations.
- Sanitization: Code includes HMAC signature verification logic and XSS prevention warnings.
- [TIME_DELAYED_ATTACKS]: No logic was found that gates actions based on date, time, or environmental triggers.
- [DYNAMIC_EXECUTION]: Describes the use of WebAssembly (Wasm) for Shopify Functions and standard JavaScript execution patterns for development, all of which align with platform-specific norms.
Audit Metadata