Shopify Admin API
v1.0.0Manage Shopify store data including orders, products, variants, customers, inventory, fulfillments, refunds, returns, and transactions via the Admin REST API.
⭐ 10· 4.7k·20 current·22 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes full read/write access to the Shopify Admin API (orders, products, customers, inventory, returns, etc.), which is coherent with the skill name. However, the registry metadata provided with the skill does not declare the environment variables or primary credential that the instructions require (SHOPIFY_STORE_DOMAIN and SHOPIFY_ACCESS_TOKEN), creating an inconsistency between claimed capabilities and declared requirements.
Instruction Scope
The runtime instructions are concrete curl examples that perform high-privilege actions (create/update/delete products and orders). They reference two environment variables (SHOPIFY_STORE_DOMAIN and SHOPIFY_ACCESS_TOKEN) and require an Admin API access token. There are no instructions to read unrelated local files or system paths, but the SKILL.md uses env vars that are not declared in the skill metadata — instructions therefore expect secrets that the registry does not advertise.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing will be downloaded or written to disk by the skill itself.
Credentials
The instructions legitimately require SHOPIFY_STORE_DOMAIN and SHOPIFY_ACCESS_TOKEN (an Admin API token). Those are appropriate for the described functionality, but the skill metadata omits requiring them and does not mark a primary credential. Because the token grants administrative read/write power, the absence of an explicit primaryEnv declaration and missing required-env metadata reduces transparency and increases risk that a user could accidentally provide overly-permissive credentials.
Persistence & Privilege
The skill does not set always:true (so it is not force-included), but it also does not disable model invocation. That means the model could invoke this skill autonomously. Combined with the skill's ability to perform destructive admin actions (delete orders/products, cancel orders, etc.), allowing autonomous invocation without an explicit guard is a material risk.
What to consider before installing
This instruction-only skill appears to be a legitimate Shopify Admin API helper, but there are important mismatches and privilege concerns you should address before installing:
- Metadata vs instructions: The SKILL.md requires SHOPIFY_STORE_DOMAIN and SHOPIFY_ACCESS_TOKEN, but the skill metadata does not declare these env vars or a primary credential. Ask the publisher (or the platform) to explicitly declare the required env vars and mark SHOPIFY_ACCESS_TOKEN as the primary credential.
- Least privilege: Issue a custom app token with the minimal scopes needed (prefer read-only when possible). Avoid granting broad write scopes unless strictly necessary.
- Model invocation: Because the skill can perform destructive admin operations, consider disabling autonomous model invocation (set disableModelInvocation: true) so actions require explicit user intent.
- Audit and lifecycle: Use a dedicated app token you can revoke/rotate; enable Shopify audit logs for actions performed by the token; test with a non-production store first.
- Verify source and provenance: The skill has no homepage or source listed. Prefer skills with a known publisher or hosted source; if you must use this, review the SKILL.md in full and ensure the platform prompts before exposing admin tokens.
If the publisher updates the metadata to declare the required env vars and the platform enforces explicit user consent and logging, the inconsistencies would be resolved and the integration would be easier to trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97480h4qjbkd86dwvd3wmq79h80e8gt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.