Skills
skills/orcaqubits/agentic-commerce-skills-plugins/shopify-security/Gen Agent Trust Hub

shopify-security

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [SAFE]: The instructions and code samples provided follow security best practices, specifically recommending the use of crypto.timingSafeEqual for secret comparisons and avoiding the storage of secrets in source code.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch configuration and implementation details from Shopify's official developer documentation portal (shopify.dev). This reference to a well-known service is documented as a safe operation.
  • [PROMPT_INJECTION]: The skill includes instructions to search for and fetch external documentation, which creates an indirect prompt injection surface. This is assessed as safe due to the reliance on trusted documentation from a well-known provider. Evidence: * Ingestion points: WebSearch and WebFetch for shopify.dev in SKILL.md. * Boundary markers: Absent. * Capability inventory: Write, Edit, and Bash tools. * Sanitization: No explicit sanitization performed on the documentation content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 06:10 AM