shopify-app-dev
Facilitates custom Shopify app development using Shopify CLI, OAuth, and modern frameworks like Hydrogen and Remix.
Install this skill
Security score
The shopify-app-dev skill was audited on Feb 28, 2026 and we found 36 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 223 | variables: { id: `gid://shopify/Product/${params.id}` }, |
Template literal with variable interpolation in command context
| 254 | id: `gid://shopify/Product/${params.id}`, |
Template literal with variable interpolation in command context
| 412 | container.innerHTML = reviews.map(review => ` |
Template literal with variable interpolation in command context
| 453 | console.log(`Webhook received: ${topic} from ${shop}`); |
Template literal with variable interpolation in command context
| 504 | console.log(`Order ${order.id} received for ${order.email}`); |
Fetch to external URL
| 342 | const response = await fetch("/api/export", { |
Webhook reference - potential data exfiltration
| 84 | [webhooks] |
Webhook reference - potential data exfiltration
| 87 | [[webhooks.subscriptions]] |
Webhook reference - potential data exfiltration
| 89 | uri = "/webhooks" |
Webhook reference - potential data exfiltration
| 441 | ### 5. Webhooks in Apps |
Webhook reference - potential data exfiltration
| 445 | **app/routes/webhooks.jsx:** |
Webhook reference - potential data exfiltration
| 451 | const { topic, shop, session, admin, payload } = await authenticate.webhook(request); |
Webhook reference - potential data exfiltration
| 453 | console.log(`Webhook received: ${topic} from ${shop}`); |
Webhook reference - potential data exfiltration
| 485 | console.log("Unhandled webhook topic:", topic); |
Webhook reference - potential data exfiltration
| 508 | **Register Webhooks (app/shopify.server.js):** |
Webhook reference - potential data exfiltration
| 528 | webhooks: { |
Webhook reference - potential data exfiltration
| 531 | callbackUrl: "/webhooks", |
Webhook reference - potential data exfiltration
| 535 | callbackUrl: "/webhooks", |
Webhook reference - potential data exfiltration
| 539 | callbackUrl: "/webhooks", |
Webhook reference - potential data exfiltration
| 543 | callbackUrl: "/webhooks", |
Webhook reference - potential data exfiltration
| 710 | 3. **Handle webhook events** for real-time updates |
Webhook reference - potential data exfiltration
| 741 | # Configure webhooks |
Ngrok tunnel reference
| 101 | # - Public tunnel URL: https://random-subdomain.ngrok.io |
Access to .env file
| 113 | **Environment Variables (.env):** |
Access to .env file
| 519 | apiKey: process.env.SHOPIFY_API_KEY, |
Access to .env file
| 520 | apiSecretKey: process.env.SHOPIFY_API_SECRET, |
Access to .env file
| 521 | scopes: process.env.SCOPES?.split(","), |
Access to .env file
| 522 | appUrl: process.env.SHOPIFY_APP_URL, |
External URL reference
| 71 | application_url = "https://your-app.com" |
External URL reference
| 80 | "https://your-app.com/auth/callback", |
External URL reference
| 81 | "https://your-app.com/auth/shopify/callback" |
External URL reference
| 100 | # - Local development URL: http://localhost:3000 |
External URL reference
| 101 | # - Public tunnel URL: https://random-subdomain.ngrok.io |
External URL reference
| 119 | SHOPIFY_APP_URL=https://your-app.com |
External URL reference
| 560 | Proxy URL: https://your-app.com/api/proxy |
External URL reference
| 565 | https://store.com/apps/reviews → proxies to → https://your-app.com/api/proxy |