shopify-hydrogen

Warn

Audited by Snyk on Mar 31, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The SKILL.md "Before writing code" explicitly instructs the agent to fetch live docs from https://shopify.dev/docs/storefronts/headless/hydrogen and to web-search GitHub (site:github.com) for Hydrogen source/examples—public third-party sites whose content the agent is expected to read and use to determine API fields, caching, and implementation decisions, exposing it to untrusted user-generated content that could influence actions.

Issues (1)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 31, 2026, 06:10 AM
Issues
1
Security Audit — snyk — shopify-hydrogen