ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Shopify Manager

v0.2.1

Connect OpenClaw to Shopify with guided setup, local `.env` secret storage, Shopify OAuth, webhook validation, product and content operations, and host or Do...

0· 114·0 current·0 all-time
byDhawal@dave8172
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Shopify connector) align with the files and envs. Required env vars (SHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_SHOP, SHOPIFY_REDIRECT_URI) match Shopify usage. Bundled scripts and docs all relate to bootstrapping a local connector, OAuth, webhooks, Tailscale guidance, and optional systemd deployment — nothing extraneous (e.g., cloud provider credentials) is requested.
Instruction Scope
SKILL.md and the referenced scripts instruct the agent to create a local runtime, write a local .env, run a small HTTP server, validate HMACs, and call Shopify APIs. They reference only local paths, systemd templates, and operator-managed ingress (Tailscale or reverse proxy). There is no instruction to read unrelated host files, exfiltrate secrets, or call unexpected third-party endpoints.
Install Mechanism
No remote install or download steps are bundled; it is instruction- and script-based (no installer fetching remote archives). The skill ships scripts and templates to be run locally by the operator. This is the low-risk pattern described in the policy.
Credentials
Requested environment variables are the standard Shopify app credentials and redirect info. The code does use optional runtime path env vars (SHOPIFY_RUNTIME_ROOT, SHOPIFY_ENV_PATH, etc.) for flexibility, but those are operational (not additional secrets). SHOPIFY_ACCESS_TOKEN is produced by OAuth and not required up-front.
Persistence & Privilege
The skill persists config, .env, state, and logs under a runtime directory controlled by the operator (default ~/oc/shopify-runtime). always is false and the skill does not request system-wide privilege changes; the service template is provided but must be installed manually by the operator.
Assessment
This skill appears to do what it says: run a local Shopify connector, perform OAuth, validate HMACs, and call Shopify Admin APIs while storing secrets in a local .env. Before installing: (1) only provide the Shopify API key/secret to the guided setup and keep the runtime directory under your control; (2) inspect the provided service template and scripts if you plan to install systemd, and install the service manually (the skill does not auto-install); (3) run the connector locally first and verify health and OAuth flows before exposing any public URL; (4) if you use Tailscale, install/configure it yourself — the skill only documents usage and does not bundle any tunneling binaries; (5) be cautious with mutation commands (update/create) and confirm changes before proceeding. If you want additional assurance, review the full shopify-connector.mjs and setup-runtime.mjs files to confirm logging behavior and where token files are written.
scripts/setup-runtime.mjs:150
Shell command execution detected (child_process).
scripts/shopify-connector.mjs:28
Environment variable access combined with network send.
!
scripts/shopify-connector.mjs:63
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ypn4q0j34zn0sqfb9rp2d183q5s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_SHOP, SHOPIFY_REDIRECT_URI
Primary envSHOPIFY_API_KEY

SKILL.md

OpenClaw Shopify Manager

Use this skill to connect OpenClaw to Shopify with a guided setup flow, local secret storage, and a small local connector for OAuth, webhooks, and Shopify Admin API operations.

Core workflow

  1. Read references/setup.md for the canonical setup path.
  2. Use scripts/setup-runtime.mjs guided-setup to create the runtime directory, config files, .env, logs/state folders, and optional systemd unit template.
  3. Read references/tailscale.md when using Tailscale for public HTTPS callback exposure.
  4. Read references/systemd.md for host/systemd operation.
  5. Read references/docker.md for Docker or sidecar deployment.
  6. Use scripts/shopify-connector.mjs for auth URL generation, callback handling, webhook validation, and Shopify API calls.
  7. Use scripts/setup-runtime.mjs doctor to verify runtime completeness.
  8. Use scripts/install-host-runtime.sh when the user wants the canonical host-oriented setup flow.

Safety rules

  • Keep Shopify secrets and tokens in .env, not in tracked config files.
  • Default to read-first behavior unless the user clearly asks for mutations.
  • Before any store-changing action, restate the intended change briefly and get confirmation.
  • Prefer least-privilege scopes.
  • Verify callback URLs and health endpoints after setup changes.

Common user-facing tasks

Connect a store

  • Run scripts/setup-runtime.mjs guided-setup.
  • Fill Shopify app credentials into .env.
  • Start the connector.
  • Expose the callback path publicly over HTTPS.
  • Generate the auth URL with scripts/shopify-connector.mjs auth-url.
  • Complete OAuth.
  • Verify with shop-info.

Read Shopify data

Supported helper commands include:

  • shop-info
  • list-products
  • find-products
  • get-product
  • list-blogs
  • list-articles

Use get-product --id ... for exact lookup and get-product --title ... or find-products --query ... for title-based lookup.

Update Shopify data

Supported mutation helpers include:

  • update-product
  • create-article
  • update-article

Use write commands only after user confirmation.

Resource map

  • Setup guide: references/setup.md
  • Tailscale guide: references/tailscale.md
  • systemd guide: references/systemd.md
  • Docker guide: references/docker.md
  • Shopify scopes and safety: references/scopes-and-safety.md
  • Runtime bootstrap: scripts/setup-runtime.mjs
  • Canonical host installer: scripts/install-host-runtime.sh
  • Connector runtime: scripts/shopify-connector.mjs
  • Service template: assets/shopify-connector.service.txt
  • Tailscale checker: scripts/check-tailscale.sh

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…