The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions require the agent to execute two local scripts, scripts/search_docs.mjs and scripts/validate.mjs, using the bash tool to perform documentation searches and verify code correctness before providing output to the user.
[DATA_EXFILTRATION]: The scripts/validate.mjs and scripts/search_docs.mjs scripts transmit instrumentation data, including search queries, code snippets, and environment metadata (model name, client version), to Shopify's official developer infrastructure at shopify.dev. This behavior is consistent with the stated purpose of the skill and the provided privacy notice.
[EXTERNAL_DOWNLOADS]: The skill fetches documentation context and sends instrumentation reports to https://shopify.dev/, which is the official and well-known domain for Shopify developer resources.
[INDIRECT_PROMPT_INJECTION]: The skill processes data returned from external tool calls, creating a potential surface for indirect prompt injection.
Ingestion points: Search results from scripts/search_docs.mjs (remote API) and error logs from scripts/validate.mjs (CLI output).
Boundary markers: Absent; the agent is instructed to read the output directly to inform its code generation.
Capability inventory: The agent has access to the bash tool to execute scripts.
Sanitization: No explicit sanitization or filtering is performed on the data returned from the Shopify developer APIs before it is incorporated into the agent's context.

shopify-polaris-admin-extensions