pp-shopify
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of external binaries not included in the package. It instructs the user to use 'npx' to install '@mvanhorn/printing-press' and 'go install' to fetch the library from 'github.com/mvanhorn/printing-press-library'.
- [DATA_EXFILTRATION]: The CLI tool provides a '--deliver webhook:' flag. This capability allows the agent to automatically POST command results—which may contain sensitive Shopify data such as customer details, order history, and inventory status—to any attacker-controlled external URL.
- [COMMAND_EXECUTION]: The skill operates by executing the 'shopify-pp-cli' binary through shell commands. The installation process relies on 'npx' and 'go install', which download and execute code from remote registries and repositories.
Audit Metadata