Bigcommerce Commerce
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a benign BigCommerce development reference, with expected cautions around web lookups and high-privilege BigCommerce API/OAuth work.
This skill is reasonable to install for BigCommerce development help. Before using generated code or commands on a live store, review anything that pushes themes, changes or deletes catalog/customer/order data, processes checkout or payments, or handles OAuth/API tokens. Prefer sandbox stores, least-privilege scopes, and secure secret storage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may browse official documentation sites before writing BigCommerce code.
The skill directs the agent to use web search/fetch tools as part of its normal workflow. This is purpose-aligned for up-to-date SaaS API documentation, but it means network lookups are expected during use.
Before writing any BigCommerce implementation code, you MUST web-search and/or web-fetch the relevant official documentation.
Allow web access only when appropriate, prefer official BigCommerce sources, and do not let retrieved content override the user's specific instructions.
If the user asks the agent to run or generate store-changing API calls, mistakes could affect products, customers, orders, themes, or other commerce data.
The skill documents BigCommerce API operations that can create, update, or delete live store resources. These are presented as reference material for the stated development purpose, not as automatic execution instructions.
`/v3/catalog/products` | GET, POST, PUT, DELETE | Products CRUD ... `DELETE /v3/catalog/products?id:in=1,2,3` — delete multiple
Use a sandbox where possible, require explicit approval before live mutations or deletes, and review generated API calls before running them.
Generated apps may handle tokens that can access or modify store data if granted broad scopes.
The skill includes expected BigCommerce OAuth guidance involving long-lived store credentials. The same file also recommends minimum scopes, secure storage, JWT verification, and uninstall cleanup.
Your app receives a permanent API token for that store ... Store the `access_token`, `store_hash`, and `scope` for future API calls
Use least-privilege BigCommerce scopes, store tokens in a secrets manager or encrypted database, rotate credentials when needed, and confirm cleanup on uninstall.