Shopify Expert
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a Shopify documentation and API-guidance skill with no bundled code, but users should review and approve any action that uses Shopify credentials or changes store data.
This skill appears safe to install as a Shopify documentation helper. Before allowing live API calls, make sure the Shopify token has only the scopes needed, keep secrets out of chat, and personally approve any action that changes a live store.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a Shopify Admin token, the agent may be able to read or change store resources allowed by that token.
The skill documents use of Shopify Admin API tokens, which is expected for Shopify API work but can grant access to store data and write permissions depending on scopes.
Send **`X-Shopify-Access-Token`** on Admin API requests ... Typical variable name ... **`SHOPIFY_ADMIN_API_ACCESS_TOKEN`**.
Use least-privilege Shopify scopes, keep tokens in environment or secret storage, and do not paste secrets into chat.
Mistaken API writes could alter products, orders, inventory, app settings, or other production store data.
The skill acknowledges Shopify API mutations can have real business impact; this is purpose-aligned and includes user-approval guidance.
Mutations (orders, inventory, products, app installs) can affect **production** revenue. Prefer **dev stores** and explicit human approval for bulk changes.
Require explicit approval for store-changing actions, test in a development store when possible, and verify the shop, API version, and scopes before running mutations.