shopify-polaris-customer-account-extensions
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill originates from Shopify and utilizes official vendor domains (shopify.dev, shopify.io) for its functional and telemetry components. External communications are limited to documentation search and disclosed usage reporting.
- [SAFE]: The documentation search tool (scripts/search_docs.mjs) and the validation tool (scripts/validate.mjs) use standard network and static analysis APIs. No evidence of remote code execution or dangerous dynamic execution was found.
- [SAFE]: Telemetry reporting for validation results is explicitly disclosed in the skill's SKILL.md and is directed to Shopify's own usage monitoring endpoint.
- [SAFE]: The skill does not contain any prompt injection attempts, obfuscation, or mechanisms for persistence or privilege escalation. It follows standard Shopify development practices.
Audit Metadata