Shopify Bulk Upload
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Shopify bulk uploader, but it can make live store changes using a write-capable Shopify token, so users should review inputs and test carefully.
Before installing or running, inspect the full script, use a dedicated least-privilege Shopify app token, start with a test or draft upload, verify the CSV carefully, and protect or clean up generated logs and output files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad CSV, wrong store token, or accidental run could create many live products or inventory records in the Shopify store.
The script creates Shopify products through the Admin API and defaults product status to active, which is expected for a bulk uploader but can publish live store changes.
"default_status": "active" ... endpoint = "products.json" ... result = self._make_request("POST", endpoint, product)Test with a small file or development store first, consider using draft status, and keep backups/export data before bulk uploads.
Anyone or anything with this token can make product and inventory changes within the granted Shopify scopes.
The skill requires a Shopify Admin access token with write permissions; this is purpose-aligned but grants authority to modify store products and inventory.
SHOPIFY_ACCESS_TOKEN=your_access_token ... Check `write_products`, `write_inventory` permissions
Use the least-privileged Shopify app token needed, store it securely in .env, do not commit it to source control, and revoke or rotate it when no longer needed.
Dependency behavior can change over time, which can affect reliability or introduce supply-chain risk.
Dependencies are installed from version ranges rather than exact pinned versions or hashes, so future installs may resolve to different package versions.
pandas>=2.0.0 requests>=2.28.0 python-dotenv>=1.0.0 openpyxl>=3.1.0
Install in a virtual environment and consider pinning exact dependency versions with a lockfile before production use.
Local files may retain business/product information after the upload completes.
The skill persists upload logs and result files locally, which may include product data, SKUs, descriptions, image URLs, and failure details.
`logs/upload.log` ... `output/products_created.json` ... `output/products_failed.json`
Review and protect the logs/output directory, and delete retained files when they are no longer needed.