Shopify Admin API
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a broad Shopify Admin API reference that requires a powerful store access token and includes high-impact write/delete operations without clear guardrails or accurate credential metadata.
Install only if you intentionally want an agent to help administer a Shopify store. Use a dedicated least-privilege Shopify custom app token, avoid broad write scopes unless required, require explicit confirmation before destructive or financial actions, and consider testing on a development store before using it on production.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these instructions incorrectly, it could change or delete products, cancel orders, alter customer/order data, or affect store operations.
The skill documents raw Shopify Admin API calls that can mutate, cancel, or delete live store records, without corresponding instructions requiring user confirmation, scoped operation, or rollback for high-impact actions.
Full read/write access to Shopify Admin REST API ... Delete Product ... -X DELETE ... Cancel Order ... -X POST
Use only with explicit user approval for each write, delete, refund, cancellation, or inventory-changing action; prefer least-privilege scopes and test on non-production stores first.
A broad Admin API token could expose customer/order data or allow unintended store changes if granted too many scopes or used without supervision.
The required token can access and modify sensitive Shopify business and customer data across many resource types. The registry metadata does not declare a primary credential or required environment variables, so this permission boundary is under-disclosed.
`SHOPIFY_ACCESS_TOKEN` - Admin API access token from custom app ... `read_orders` / `write_orders` ... `read_products` / `write_products` ... `read_customers` / `write_customers` ... `read_all_orders`
Create a dedicated Shopify custom app token with only the scopes needed for the specific task, avoid `write_*` and `read_all_orders` unless necessary, and rotate/revoke the token when finished.
A user may install the skill thinking it does not need credentials or special capabilities, then later provide a powerful admin token without realizing the scope of possible actions.
This metadata conflicts with the skill instructions, which require a Shopify store domain and Admin API access token for high-impact administrative actions. Users may underestimate the authority needed before installing or invoking the skill.
Required env vars: none ... Env var declarations: none ... Primary credential: none ... Capability signals: No capability tags were derived.
Update the skill metadata to declare the Shopify access token, store domain, sensitive data access, and read/write administrative capabilities clearly.