Shopify Manager Cli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Shopify admin CLI wrapper, but it uses a powerful Shopify access token and can change store content or upload selected local files.
Install only if you intend this agent to manage your Shopify store. Use a least-privilege Shopify token, review commands before they run, confirm deletes carefully, and only upload local files you intentionally selected.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is over-scoped or used with the wrong command, store products, content, files, or metadata could be changed.
The skill requires a Shopify Admin API token with write permissions. This is expected for managing a Shopify store, but it grants significant delegated authority.
`SHOPIFY_ACCESS_TOKEN` — Admin API access token (`shpat_…`); scopes include `write_products`, `write_metaobjects`, `write_content`, and `write_files`
Use a dedicated Shopify custom app token with only the scopes you need, keep it secret, and revoke or rotate it when no longer needed.
A mistaken create, update, publish, upload, or delete command could alter live Shopify data.
The agent is directed to execute local CLI commands that perform Shopify API actions. Delete confirmation is explicitly required, which helps, but other mutations can still affect a live store.
Run the command using the Bash tool. ... **For delete operations**: always confirm with the user before executing.
Review the generated command, resource IDs, and intended changes before allowing mutations; consider requiring confirmation for publish or major update actions too.
Providing the wrong path could upload an unintended local file to the Shopify store.
The skill can read a user-specified local file path and upload that file to Shopify. This is disclosed and purpose-aligned for product images/files, but the selected path matters.
When a command accepts `--image-file` or a local file path, pass the path as-is; the script reads the file from disk and uploads it via Shopify's staged-upload API
Only provide paths to files you intend to upload, and avoid using broad or sensitive local paths.