shopify-bulk-sync
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): The content consists of legitimate technical documentation and does not contain instructions to override AI safety or behavior.
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive file paths were detected. The network operations described follow the standard Shopify 'staged uploads' protocol for data synchronization.
- [Remote Code Execution] (SAFE): No commands for downloading and executing remote scripts (e.g., curl|bash) are present. The JavaScript examples use standard web APIs for data processing.
- [Persistence & Privilege Escalation] (SAFE): There are no attempts to modify system configuration, scheduled tasks, or acquire elevated permissions.
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process large batches of external data (items/metafields). While this constitutes an attack surface, the provided logic uses standard serialization (JSON.stringify) and the risk is considered low and inherent to the data synchronization use case.
Audit Metadata