shopify-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill routinely fetches and ingests untrusted, user-generated content from Shopify stores (e.g., admin.graphql queries returning product descriptions, metafields, customer notes and files, the storefrontQuery fetch to https://{shop}/..., the bulk results fetch(resultsUrl), and use of arbitrary originalSource/imageUrl values in media uploads), so the agent would read and act on third-party content that could carry indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a Shopify Admin API integration (not a generic HTTP or browser tool) and exposes explicit payment-related mutations and endpoints. It includes operations that change financial state: orderMarkAsPaid, draftOrderComplete (which finalizes/charges draft orders), and orderCancel with a refund option, plus transaction objects on orders. These are specific, built-in e-commerce/payment actions (i.e., sending/marking payments and triggering refunds) rather than generic data queries, so it constitutes direct financial execution capability.