shopify-polaris-viz
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies] (LOW): The skill instructs the user to install '@shopify/polaris-viz', '@shopify/polaris', and '@shopify/polaris-tokens' via npm. While these are well-known packages from Shopify, the organization is not included in the predefined trusted source list. The severity is reduced from MEDIUM to LOW because these dependencies are fundamental to the skill's stated purpose of providing visualization tools.\n- [Indirect Prompt Injection] (LOW): \n
- Ingestion points: Chart components (e.g., BarChart, LineChart) ingest untrusted data arrays via the 'data' prop in SKILL.md.\n
- Boundary markers: No explicit markers or 'ignore' instructions are provided to separate visualized data from the agent's logic.\n
- Capability inventory: The skill is limited to rendering UI components and does not involve file-system access or network operations beyond the component lifecycle.\n
- Sanitization: No data sanitization or validation logic is demonstrated in the implementation examples.
Audit Metadata