Shopify Product Uploader
v1.0.0Upload and manage Shopify products individually or in bulk with SEO-optimised titles, descriptions, tags, support for variants, collections, inventory, and d...
⭐ 0· 66·0 current·0 all-time
byHussain Khuzema@hussainpatan9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (upload/manage Shopify products, SEO content, bulk CSVs) align with the actions described in SKILL.md: it constructs product JSON and calls Shopify Admin APIs. Required information (store handle, Admin API token, API version, optional defaults) is exactly what a Shopify integration needs.
Instruction Scope
Instructions remain focused on creating/updating Shopify products, collections, and inventory. They do instruct the agent to fetch store locations and to read CSVs or image URLs for bulk or image-based uploads (examples reference /workspace paths), which is expected. Note: the skill explicitly asks to capture and persist the Admin API token in long‑term memory — this extends the skill's runtime scope beyond a single operation because it enables future API calls without re-prompting the user.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk or fetched at install time, which minimizes supply-chain risk.
Credentials
No platform environment variables are declared, but the skill requires an Admin API access token (shpat_...) and store handle provided interactively and stored in memory. That credential is appropriate for the stated functionality, but an Admin token is powerful — the skill appropriately documents scopes required. The registry metadata not declaring primary credential is explainable for an instruction-only skill but worth noting.
Persistence & Privilege
always:false (good), but the skill instructs storing the SHOPIFY_ACCESS_TOKEN and SHOPIFY_LOCATION_ID in long‑term memory so the agent can reuse them. Combined with normal autonomous invocation (disable-model-invocation:false), that means the agent could later act on the store using the stored token without re-prompting the user. If you don't want that, avoid storing the token persistently or require explicit confirmation before every API call.
Assessment
This skill appears to do what it claims: it will prompt you to provide your Shopify store handle and an Admin API token (shpat_...) and then use that token to call your store's Admin API to create/update products and inventory. Before installing or activating it: 1) Prefer creating a custom app token with only the minimum scopes listed (write_products, read_products, write_inventory, read_inventory, write_collections, read_collections) rather than using a full-store owner token. 2) Confirm how OpenClaw stores long‑term memory in your deployment (encryption, who/what can access those secrets) — if you’re uncomfortable, don’t allow persistent storage and instead require the token per session. 3) Understand the agent can act autonomously by default; if you want to prevent background changes, disable autonomous invocation or require explicit user confirmation (the SKILL.md says it will ask for YES before uploading, but persistent tokens enable later uploads). 4) Verify the skill source/owner before granting access — there’s no homepage and the publisher is an opaque ID. 5) Rotate the token if you ever revoke the skill’s access. If you follow these precautions the skill is coherent with its purpose and usable; if you cannot limit token scope or memory persistence, treat it as higher risk.Like a lobster shell, security has layers — review code before you run it.
bulk-uploadvk979vba1b7tajw6vc2brqk9xcn84jfhyecommercevk979vba1b7tajw6vc2brqk9xcn84jfhylatestvk979vba1b7tajw6vc2brqk9xcn84jfhyproductsvk979vba1b7tajw6vc2brqk9xcn84jfhyseovk979vba1b7tajw6vc2brqk9xcn84jfhyshopifyvk979vba1b7tajw6vc2brqk9xcn84jfhyukvk979vba1b7tajw6vc2brqk9xcn84jfhy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.