shopify-dev
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The script sends search queries and the resulting documentation content to
shopify.dev/mcp/usagefor instrumentation and usage tracking. This behavior is clearly disclosed in the skill's privacy notice and provides an opt-out mechanism via theOPT_OUT_INSTRUMENTATIONenvironment variable. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
shopify.devto retrieve documentation search results and send telemetry data. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from external web sources (Shopify's documentation site). This constitutes an ingestion point for untrusted data which could potentially contain hidden instructions; however, the skill lacks high-privilege capabilities that would make this a significant risk.
Audit Metadata