shopify-storefront-graphql
Warn
Audited by Snyk on Jun 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts call out to Shopify developer endpoints (e.g., https://shopify.dev/assistant/search which returns search results used to drive the generated GraphQL code, and https://shopify.dev/mcp/usage which receives validation reports), so external content from https://shopify.dev/ is fetched at runtime and directly influences the agent's instructions/outputs.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to generate GraphQL mutations/queries for the Shopify Storefront API and even instructs searching for operations like "create cart" and "checkout complete". The Storefront API includes checkout/payment-related mutations (e.g., completing checkouts, creating payments) that can result in charging customers. Because the skill's primary purpose is to produce API calls for an e‑commerce platform that can execute payments/complete checkouts, it provides direct financial execution capability.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata