Skills
skills/orcaqubits/agentic-commerce-skills-plugins/shopify-api-rest/Gen Agent Trust Hub

shopify-api-rest

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch documentation from 'shopify.dev' using WebFetch and WebSearch tools. This is a legitimate use of external resources targeting well-known official documentation for the purpose of API migration.
  • [DATA_EXFILTRATION]: No evidence of unauthorized data access or exfiltration. Authentication patterns described (e.g., X-Shopify-Access-Token) use placeholders and follow industry-standard practices for API documentation.
  • [COMMAND_EXECUTION]: While the skill allows the 'Bash' tool, no specific commands are provided or executed in the instructions. The tool access is consistent with a developer-focused migration skill.
  • [PROMPT_INJECTION]: No prompt injection patterns, role-play attempts, or system prompt overrides were detected. The instructions remain focused on the stated migration purpose.
  • [DATA_EXPOSURE]: The skill identifies an indirect prompt injection surface as it ingests data via WebSearch and WebFetch from external sources. However, as these searches are restricted to official Shopify domains, the risk is minimal. No explicit boundary markers or sanitization logic is present in the skill instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 06:09 AM