shopify-app-dev

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches technical documentation and API references from Shopify's official developer portal (shopify.dev) and official GitHub repositories. These are well-known technology services and the retrieval of their documentation is a standard, safe operation for a development-focused skill.- [COMMAND_EXECUTION]: Instructs the agent to use the shopify app init command to bootstrap projects. This is the official CLI tool provided by Shopify for application development and is used here as intended.- [PROMPT_INJECTION]: The skill ingests external data by fetching live documentation and searching the web to ensure generated code is up-to-date. This constitutes an indirect prompt injection surface where the agent's behavior could be influenced by external content. However, the risk is considered safe given the focus on official reputable sources.
  • Ingestion points: WebFetch of documentation from shopify.dev and GitHub, and WebSearch results.
  • Boundary markers: Absent; the agent is directed to incorporate fetched information directly into the development workflow.
  • Capability inventory: The skill utilizes Write, Edit, and Bash tools to create and modify application code.
  • Sanitization: No specific filtering or validation of the fetched documentation content is defined.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 02:50 PM
Security Audit — agent-trust-hub — shopify-app-dev