ClawHub

Shopify mcp

Search, read, and work with Shopify products, variants, catalog discovery, sellers, and checkout links via Shopify's configured MCP server (https://catalog.shopify.com/api/ucp/mcp). Use when the user asks about Shopify products, variants, sellers, catalog discovery, or checkout links.

Audits

Pass
ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install maverick-shopify-mcp

Shopify

Quick start

Always invoke through bash {baseDir}/scripts/invoke.sh — never call mcporter directly. The wrapper seeds the OAuth vault from the env-supplied tokens when needed, then calls mcporter.

bash {baseDir}/scripts/invoke.sh list maverick-shopify --schema

For structured output (also surfaces transport errors as JSON envelopes — workaround for mcporter #153):

bash {baseDir}/scripts/invoke.sh call --output json maverick-shopify.TOOL_NAME key=value | jq '.result.content'

Safety

Write operations that create, publish, update, or expose products, variants, catalog data, seller records, checkout links, or externally visible product links can affect customer-facing commerce flows. Confirm clear user intent before invoking write tools — search and read tools are safe to call freely while exploring. Search products before assuming product or variant IDs, and read product and variant details before recommending or linking items.

Authentication

Tokens are provisioned and rotated automatically. If a call returns HTTP 401 that doesn't recover within a few seconds, the OAuth grant has been revoked — re-authorize the integration to refresh credentials.

Data flow

Tool calls travel to Shopify's configured MCP service at https://catalog.shopify.com/api/ucp/mcp over HTTPS, authenticated via OAuth. Shopify sees the product, variant, catalog, seller, and checkout-link data referenced by each call. Use this skill for Shopify-related work only; do not pass unrelated sensitive content through these tools.

Dependencies

  • mcporter (github.com/steipete/mcporter) — MCP CLI used to invoke Shopify's configured MCP server. Auto-installed via npm install -g --ignore-scripts mcporter if missing on PATH (see install spec in frontmatter). The install spec uses unpinned mcporter (npm latest); operators with strict supply-chain controls should override the install to pin a specific version (e.g. mcporter@<version>).
  • jq (stedolan.github.io/jq) — JSON processor used by the vault initializer. System dependency; install via your OS package manager (apt install jq, brew install jq, etc.).
  • flock (part of util-linux) — file locking used to serialize concurrent vault writes. Available by default on Linux; on macOS install via brew install flock.
  • shasum (Perl, ships with Digest::SHA) — computes the SHA-256 hashes used to derive the mcporter vault key and the provisioned-token marker. Preinstalled on macOS and on Debian/Ubuntu (incl. the deployed cloudflare/sandbox Ubuntu 22.04 image); on minimal Linux images install perl-Digest-SHA. The script invokes shasum -a 256 rather than GNU sha256sum so it runs on stock macOS without coreutils.