shopify-app-bridge
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The skill documentation includes references to
https://cdn.shopify.com/shopifycloud/app-bridge.jsand the@shopify/app-bridge-reactNPM package. These are official first-party resources provided by Shopify for the functionality described. While the domain is not on the specific developer-provided 'Trusted Organizations' list, it is the authoritative source for this specific integration and aligns with the skill's primary purpose. - CREDENTIALS_UNSAFE (SAFE): The code examples use the placeholder
'YOUR_API_KEY'for configuration. No real secrets or hardcoded credentials were found. - INDIRECT_PROMPT_INJECTION (SAFE): The skill describes an ingestion point for external data (the
hostparameter fromlocation.search), but this is standard practice for Shopify app initialization and does not expose the LLM to adversarial control of its own instructions. - COMMAND_EXECUTION (SAFE): No dangerous shell commands, subprocess calls, or privilege escalation patterns were identified.
Audit Metadata