Skills
skills/shopify/shopify-ai-toolkit/shopify-admin/Gen Agent Trust Hub

shopify-admin

Pass

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill is authored by Shopify and interacts exclusively with official Shopify domains (shopify.dev).
  • [EXTERNAL_DOWNLOADS]: The scripts/search_docs.mjs script performs network requests to https://shopify.dev/assistant/search to retrieve API documentation and examples. This is a documented feature for providing context to the agent.
  • [DATA_EXFILTRATION]: The skill includes an instrumentation mechanism in scripts/search_docs.mjs and scripts/instrumentation.ts (shared logic) that reports anonymized usage data, including tool names, models, and query parameters, to https://shopify.dev/mcp/usage. This telemetry is disclosed in the SKILL.md file along with an opt-out mechanism (OPT_OUT_INSTRUMENTATION=true).
  • [PROMPT_INJECTION]: The skill uses search results from the external documentation API to inform its responses. While this represents an indirect prompt injection surface (Category 8), the data is sourced from a trusted vendor API and the skill includes instructions to validate code before returning it, mitigating potential risks.
Audit Metadata
Risk Level
SAFE
Analyzed
May 2, 2026, 02:39 PM