shopify library & shopify spy tool
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned PPSPY Shopify research skill, but it relies on an external npm MCP server and a PPSPY API key that can spend account credits.
Before installing, confirm you trust the ppspy-mcp-server npm package and the PPSPY service, then use a PPSPY API key you can monitor and set clear limits on searches to control credit spending.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may add and run third-party local code to provide the PPSPY tools.
The skill depends on a globally installed external npm MCP package whose source code is not included in the submitted artifacts.
install:\n command: npm\n args:\n - install\n - -g\n - "ppspy-mcp-server@1.0.1"
Verify the npm package and publisher before installing, and consider using a controlled environment if you do not already trust the package.
The skill can use your PPSPY account credentials for API calls, which may consume your account credits.
The PPSPY API key is required and is passed into the MCP server environment for provider access.
requires:\n env:\n - PPSPY_API_KEY\n...\nPPSPY_API_KEY: "{{PPSPY_API_KEY}}"Use a PPSPY key with the minimum access you need, monitor credit usage, and rotate the key if you remove or stop trusting the integration.
Broad searches could use more credits than expected if the agent is not given clear limits.
The skill discloses that tool calls can spend PPSPY credits, so repeated or broad searches have a user-visible cost.
Each API call consumes credits from your PPSPY account:\n- **Shopify Store/Product Search**: 1 credit per record
Give the agent specific query limits, result counts, and budget expectations before using the PPSPY search tools.