ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Shopify Manager

v0.2.1

Connect OpenClaw to Shopify with guided setup, local `.env` secret storage, Shopify OAuth, webhook validation, product and content operations, and host or Do...

0· 171·0 current·0 all-time
byDhawal@dave8172

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dave8172/openclaw-shopify-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Openclaw Shopify Manager" (dave8172/openclaw-shopify-manager) from ClawHub.
Skill page: https://clawhub.ai/dave8172/openclaw-shopify-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: SHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_SHOP, SHOPIFY_REDIRECT_URI
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-shopify-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-shopify-manager
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Shopify connector) align with the files and envs. Required env vars (SHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_SHOP, SHOPIFY_REDIRECT_URI) match Shopify usage. Bundled scripts and docs all relate to bootstrapping a local connector, OAuth, webhooks, Tailscale guidance, and optional systemd deployment — nothing extraneous (e.g., cloud provider credentials) is requested.
Instruction Scope
SKILL.md and the referenced scripts instruct the agent to create a local runtime, write a local .env, run a small HTTP server, validate HMACs, and call Shopify APIs. They reference only local paths, systemd templates, and operator-managed ingress (Tailscale or reverse proxy). There is no instruction to read unrelated host files, exfiltrate secrets, or call unexpected third-party endpoints.
Install Mechanism
No remote install or download steps are bundled; it is instruction- and script-based (no installer fetching remote archives). The skill ships scripts and templates to be run locally by the operator. This is the low-risk pattern described in the policy.
Credentials
Requested environment variables are the standard Shopify app credentials and redirect info. The code does use optional runtime path env vars (SHOPIFY_RUNTIME_ROOT, SHOPIFY_ENV_PATH, etc.) for flexibility, but those are operational (not additional secrets). SHOPIFY_ACCESS_TOKEN is produced by OAuth and not required up-front.
Persistence & Privilege
The skill persists config, .env, state, and logs under a runtime directory controlled by the operator (default ~/oc/shopify-runtime). always is false and the skill does not request system-wide privilege changes; the service template is provided but must be installed manually by the operator.
Assessment
This skill appears to do what it says: run a local Shopify connector, perform OAuth, validate HMACs, and call Shopify Admin APIs while storing secrets in a local .env. Before installing: (1) only provide the Shopify API key/secret to the guided setup and keep the runtime directory under your control; (2) inspect the provided service template and scripts if you plan to install systemd, and install the service manually (the skill does not auto-install); (3) run the connector locally first and verify health and OAuth flows before exposing any public URL; (4) if you use Tailscale, install/configure it yourself — the skill only documents usage and does not bundle any tunneling binaries; (5) be cautious with mutation commands (update/create) and confirm changes before proceeding. If you want additional assurance, review the full shopify-connector.mjs and setup-runtime.mjs files to confirm logging behavior and where token files are written.
scripts/setup-runtime.mjs:150
Shell command execution detected (child_process).
scripts/shopify-connector.mjs:28
Environment variable access combined with network send.
!
scripts/shopify-connector.mjs:63
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvSHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_SHOP, SHOPIFY_REDIRECT_URI
Primary envSHOPIFY_API_KEY
latestvk978ypn4q0j34zn0sqfb9rp2d183q5s1
171downloads
0stars
12versions
Updated 1mo ago
v0.2.1
MIT-0
Dhawal@dave8172
latest
Download

OpenClaw Shopify Manager

Use this skill to connect OpenClaw to Shopify with a guided setup flow, local secret storage, and a small local connector for OAuth, webhooks, and Shopify Admin API operations.

Core workflow

  1. Read references/setup.md for the canonical setup path.
  2. Use scripts/setup-runtime.mjs guided-setup to create the runtime directory, config files, .env, logs/state folders, and optional systemd unit template.
  3. Read references/tailscale.md when using Tailscale for public HTTPS callback exposure.
  4. Read references/systemd.md for host/systemd operation.
  5. Read references/docker.md for Docker or sidecar deployment.
  6. Use scripts/shopify-connector.mjs for auth URL generation, callback handling, webhook validation, and Shopify API calls.
  7. Use scripts/setup-runtime.mjs doctor to verify runtime completeness.
  8. Use scripts/install-host-runtime.sh when the user wants the canonical host-oriented setup flow.

Safety rules

  • Keep Shopify secrets and tokens in .env, not in tracked config files.
  • Default to read-first behavior unless the user clearly asks for mutations.
  • Before any store-changing action, restate the intended change briefly and get confirmation.
  • Prefer least-privilege scopes.
  • Verify callback URLs and health endpoints after setup changes.

Common user-facing tasks

Connect a store

  • Run scripts/setup-runtime.mjs guided-setup.
  • Fill Shopify app credentials into .env.
  • Start the connector.
  • Expose the callback path publicly over HTTPS.
  • Generate the auth URL with scripts/shopify-connector.mjs auth-url.
  • Complete OAuth.
  • Verify with shop-info.

Read Shopify data

Supported helper commands include:

  • shop-info
  • list-products
  • find-products
  • get-product
  • list-blogs
  • list-articles

Use get-product --id ... for exact lookup and get-product --title ... or find-products --query ... for title-based lookup.

Update Shopify data

Supported mutation helpers include:

  • update-product
  • create-article
  • update-article

Use write commands only after user confirmation.

Resource map

  • Setup guide: references/setup.md
  • Tailscale guide: references/tailscale.md
  • systemd guide: references/systemd.md
  • Docker guide: references/docker.md
  • Shopify scopes and safety: references/scopes-and-safety.md
  • Runtime bootstrap: scripts/setup-runtime.mjs
  • Canonical host installer: scripts/install-host-runtime.sh
  • Connector runtime: scripts/shopify-connector.mjs
  • Service template: assets/shopify-connector.service.txt
  • Tailscale checker: scripts/check-tailscale.sh

Comments

Loading comments...