shopify-admin-duplicate-customer-finder
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted customer records from the Shopify API, creating a surface for indirect prompt injection.
- Ingestion points: The customer data is fetched via the 'customers' GraphQL query defined in SKILL.md.
- Boundary markers: No delimiters or specific instructions to ignore embedded commands are present in the workflow.
- Capability inventory: The skill is capable of writing data to a local CSV file ('duplicate_customers_.csv').
- Sanitization: There is no mention of sanitization or escaping of the strings retrieved from Shopify before they are included in the report output.
Audit Metadata