shopify
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes store and customer data from the Shopify Admin API, which presents a surface for indirect prompt injection if the external data contains malicious instructions designed to influence the agent.
- Ingestion points: Data is fetched from the Shopify Admin API in scripts/shopify_client.py and processed in scripts/analyze.py.
- Boundary markers: Fetched data is presented to the agent without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill performs network read operations (Shopify API) and local file write operations (audit reports).
- Sanitization: The scripts utilize standard JSON and CSV parsing; no content-based filtering for natural language instructions is applied to the fetched data.
- [SAFE]: The skill implements security best practices by advising the use of environment variables for API credentials and including directory traversal checks in the report generation scripts.
Audit Metadata