shop-app
Enables users to search products, track orders, and manage returns through the Shop.app API, enhancing the shopping experience.
Install this skill
Security score
The shop-app skill was audited on May 23, 2026 and we found 31 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 47 | curl -s 'https://shop.app/agents/search?query=wireless+earbuds&limit=10&ships_to=US' |
Curl to non-GitHub URL
| 74 | curl -s 'https://shop.app/agents/search?variant_id=33169831854160&limit=10&ships_to=US' |
Curl to non-GitHub URL
| 82 | curl -s -X POST https://shop.app/agents/search \ |
Curl to non-GitHub URL
| 114 | curl -s -X POST https://shop.app/agents/auth/device-code |
Curl to non-GitHub URL
| 120 | curl -s -X POST https://shop.app/agents/auth/token \ |
Curl to non-GitHub URL
| 128 | curl -s https://shop.app/agents/auth/userinfo \ |
Curl to non-GitHub URL
| 134 | curl -s -X POST https://shop.app/agents/auth/token \ |
Curl to non-GitHub URL
| 152 | curl -s 'https://shop.app/agents/orders?limit=50' \ |
Curl to non-GitHub URL
| 198 | curl -s 'https://shop.app/agents/returns?product_id=29923377167' \ |
Access to .env file
| 108 | - Tokens live only for the duration of this conversation. Do not write them to `.env` or any file. |
External URL reference
| 14 | homepage: https://shop.app |
External URL reference
| 15 | upstream: https://shop.app/SKILL.md |
External URL reference
| 30 | **Endpoint:** `GET https://shop.app/agents/search` |
External URL reference
| 47 | curl -s 'https://shop.app/agents/search?query=wireless+earbuds&limit=10&ships_to=US' |
External URL reference
| 55 | - **Product URL** — line starting with `https://` |
External URL reference
| 74 | curl -s 'https://shop.app/agents/search?variant_id=33169831854160&limit=10&ships_to=US' |
External URL reference
| 82 | curl -s -X POST https://shop.app/agents/search \ |
External URL reference
| 114 | curl -s -X POST https://shop.app/agents/auth/device-code |
External URL reference
| 120 | curl -s -X POST https://shop.app/agents/auth/token \ |
External URL reference
| 128 | curl -s https://shop.app/agents/auth/userinfo \ |
External URL reference
| 134 | curl -s -X POST https://shop.app/agents/auth/token \ |
External URL reference
| 152 | curl -s 'https://shop.app/agents/orders?limit=50' \ |
External URL reference
| 182 | Tracking URL: https://ups.com/track?num=… |
External URL reference
| 198 | curl -s 'https://shop.app/agents/returns?product_id=29923377167' \ |
External URL reference
| 214 | 4. Build the checkout URL: `https://{domain}/cart/{variantId}:{quantity}`. |
External URL reference
| 216 | **Example:** `at Allbirds` + `Store domain: allbirds.myshopify.com` + `[variant:789012]` → `https://allbirds.myshopify.com/cart/789012:1` |
External URL reference
| 218 | **Missing variant (e.g. Amazon orders, no `[variant:ID]`):** fall back to a store search link: `https://{domain}/search?q={title}`. |
External URL reference
| 227 | | `store_url` | Store URL (e.g. `https://allbirds.ca`) | |
External URL reference
| 232 | **Pattern:** `https://{store}/cart/{variant_id}:{qty},{variant_id}:{qty}?checkout[email]=…` |
External URL reference
| 261 | https://{shop_domain}/policies/shipping-policy |
External URL reference
| 262 | https://{shop_domain}/policies/refund-policy |