shopify-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): No instructions attempting to bypass safety filters or override agent behavior were detected. The skill uses benign instructional language focused on development tasks.
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive file paths (e.g., .ssh, .aws) were found. The skill explicitly advises users to store API credentials in environment variables and verify webhook HMAC signatures.
- [External Downloads] (SAFE): References the official
@shopify/clipackage via NPM. While not on the specific 'Trusted' list provided in the instructions, it is the official industry-standard tool for the claimed purpose. - [Indirect Prompt Injection] (LOW): The skill handles merchant-controlled data such as product titles and order names via GraphQL. While this presents an injection surface, the provided Liquid templates demonstrate the use of the
| escapefilter to mitigate basic script injection. - [Command Execution] (SAFE): CLI commands listed (
shopify app dev,shopify theme init) are standard operations for Shopify development and do not include obfuscated or malicious parameters.
Audit Metadata