Shopify
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Approved actions could modify Shopify products, inventory, orders, refunds, or storefront content.
The skill allows the agent to execute dynamically discovered Shopify tools, including write operations, but it explicitly requires preview and user confirmation for writes.
For writes or anything marked as requiring confirmation, call `clawlink_preview_tool` first, then confirm with the user. Execute with `clawlink_call_tool`.
Review each preview carefully before approving writes, especially refunds, cancellations, publishing, bulk edits, inventory changes, and gift card or discount changes.
The connected integration may be able to read or change Shopify store data within the scopes the user approves.
The skill relies on delegated Shopify account authorization through ClawLink, which is expected for the stated purpose but grants account-level access based on approved scopes.
The user follows the Shopify login, app install, and authorization flow shown there.
Use least-privilege Shopify permissions where possible, connect only the intended store, and revoke the ClawLink/Shopify app connection when no longer needed.
The security of the integration depends partly on the external ClawLink plugin and service.
The skill depends on a separately installed ClawLink plugin that is not included in the provided artifact set. The install is disclosed and user-directed, but its code is outside this review.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install the plugin only from the trusted ClawHub source and review ClawLink verification, documentation, and source links before granting Shopify access.
Shopify operational data and authorization flows may pass through ClawLink as part of tool execution.
Shopify access is mediated through a third-party integration hub. This is disclosed and purpose-aligned, but it creates an external data and credential boundary users should understand.
Powered by ClawLink ... an integration hub for OpenClaw that handles hosted connection flows and credentials
Review ClawLink’s privacy, security, and authorization model before connecting stores that contain sensitive customer, order, or business data.