Shopify mcp
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad write call could publish or change product, catalog, seller, or checkout-link information seen by customers.
The skill may access Shopify tools that can change customer-facing commerce data. The warning and confirmation instruction make this disclosed and purpose-aligned, but users should treat writes as high-impact.
Write operations that create, publish, update, or expose products, variants, catalog data, seller records, checkout links, or externally visible product links can affect customer-facing commerce flows. Confirm clear user intent before invoking write tools
Use search/read tools first, verify product and variant IDs, and require explicit user approval before any create, update, publish, expose, or checkout-link action.
Anyone who can read or use the local mcporter credential vault may be able to act through the Shopify integration until the tokens are revoked or rotated.
The script persists Shopify OAuth access and refresh tokens into mcporter's local credential vault. This is expected for OAuth MCP access, but it is sensitive account authority.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Use least-privilege, revocable OAuth credentials; protect the user account and ~/.mcporter directory; and rotate/revoke tokens when access is no longer needed.
A future mcporter release could change behavior or introduce supply-chain risk.
The skill clearly discloses that it depends on an unpinned npm package. This is common for CLI integrations, but future package changes are outside the reviewed artifact set.
Auto-installed via `npm install -g --ignore-scripts mcporter` if missing on PATH ... The install spec uses unpinned `mcporter` (npm `latest`)
Operators with stricter controls should pin mcporter to a reviewed version and install it from a trusted package source.
Information included in tool calls will be visible to Shopify's MCP service.
The external MCP data flow is disclosed and purpose-aligned, but it means referenced Shopify-related data is sent to Shopify's service.
Tool calls travel to Shopify's configured MCP service at `https://catalog.shopify.com/api/ucp/mcp` over HTTPS, authenticated via OAuth. Shopify sees the product, variant, catalog, seller, and checkout-link data referenced by each call.
Use the skill only for Shopify-related tasks and avoid sending unrelated sensitive content through these tools.