Openclaw Commerce Shopify
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed Shopify management integration with broad store-changing power, so it appears purpose-aligned but should be used carefully with a trusted API key.
Install only if you trust OpenClaw Commerce with your Shopify store. Use a dedicated/revocable API key, review every proposed store-changing action before confirming, and avoid sending or logging unnecessary customer, order, or credential data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this key could potentially read or change important store data if the key is misused.
The skill requires an API key that enables broad Shopify administrative access through OpenClaw Commerce. This is expected for the stated purpose, but it is high-impact account authority.
Full read/write access to Shopify Admin GraphQL API ... All requests require this header: X-OpenClaw-Commerce-Token: $OPENCLAW_COMMERCE_API_KEY
Use a key only for stores you control, keep it private, revoke it if no longer needed, and prefer the least-privileged key available from the provider.
A mistaken or over-broad request could change or delete store records, products, promotions, or customer/order information.
The skill exposes broad create, read, update, and delete operations over business-critical Shopify resources. The artifacts also document confirmation and validation controls, so this is purpose-aligned rather than suspicious by itself.
Complete CRUD operations for customers ... orders ... products ... collections ... catalogs ... discounts
Carefully review the summarized mutation and require explicit confirmation before approving any create, update, delete, or bulk operation.
Customer, order, product, discount, and store-management data may be sent to OpenClaw Commerce while using the skill.
Shopify operations are routed through the OpenClaw Commerce API gateway. This is disclosed and central to the skill, but it means store data and requested mutations pass through that external service.
Base URL: https://app.openclawcommerce.com/api/v1 ... Endpoint: /operation
Confirm you trust the OpenClaw Commerce service and understand its privacy, logging, and data-retention practices before connecting a production store.
Sensitive store details could be retained in chat history or logs if included in audit context.
The skill encourages logging or echoing validated variables for auditability. That is useful, but variables could include business or customer data depending on the operation.
Audit context – Log (or echo back to the user) which template was used and which validated variables were applied
Avoid logging API keys, personal customer data, or unnecessary business-sensitive values; keep audit logs limited and retained only as long as needed.
It may be harder to verify exactly which package version was reviewed or published.
The provided registry metadata lists version 1.0.4, while the packaged _meta.json lists 1.0.3. This is a minor provenance/version-coherence issue, not evidence of malicious behavior.
"version": "1.0.3"
Confirm the publisher and package version before installation, especially before granting production Shopify access.