ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Dev Mcp

v1.0.0

Use when user wants to work with Shopify Admin API, Storefront API, validate Liquid code, explore GraphQL schemas, build Shopify apps, or inspect Shopify doc...

0· 78·1 current·1 all-time
by@simoncai519

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for simoncai519/shopify-dev-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shopify Dev Mcp" (simoncai519/shopify-dev-mcp) from ClawHub.
Skill page: https://clawhub.ai/simoncai519/shopify-dev-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shopify-dev-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install shopify-dev-mcp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly targets Shopify Admin/Storefront GraphQL, Liquid, Polaris, and an MCP server (shopify-dev). That purpose matches the commands and examples in the docs. However the skill metadata declares no required env vars/binaries while the documentation shows this workflow depends on @shopify/dev-mcp, mcporter, and Shopify API credentials — a minor mismatch between claimed requirements and documented needs.
Instruction Scope
Instructions are constrained to Shopify workflows (initialize MCP session, search docs, introspect schemas, validate code, manage webhooks). They do not instruct the agent to read unrelated system files or exfiltrate data. They do include operations that interact with external endpoints (webhook addresses) which is expected for webhook management.
Install Mechanism
This is an instruction-only skill (no install spec), which is low risk. The docs recommend installing @shopify/dev-mcp locally or using npx, but that install step is not codified in metadata — the absence of an install spec means the agent may assume tooling is present or request it at runtime.
!
Credentials
The reference guide shows explicit environment variables (SHOPIFY_API_KEY, SHOPIFY_API_SECRET, SHOPIFY_STORE_URL, LIQUID_VALIDATION_MODE) needed by the MCP server, but the skill metadata lists no required env vars or primary credential. This mismatch could lead the agent to prompt for or rely on sensitive credentials without them being declared up-front.
Persistence & Privilege
The skill is not force-included (always:false) and does not request persistent system-wide changes in its instructions. It does not claim to modify other skills or global agent settings.
What to consider before installing
This skill is broadly coherent with Shopify development tasks, but it references tools and sensitive environment variables that are not declared in the skill metadata. Before installing or using it: 1) expect to need Shopify API credentials (API key/secret and store URL) to use the MCP server — do not paste these into an unknown service; 2) prefer running @shopify/dev-mcp and mcporter from trusted sources (audit the installed package or pin a known-good version); 3) be cautious when the skill or its recommended CLI creates webhooks or posts to external URLs — verify webhook destinations; 4) ask the skill author or publisher for an explicit install spec and a list of required env vars if you need to run this in a shared environment. If you want me to, I can list the exact places in the SKILL.md that mention credentials and external commands or suggest a safer deployment checklist.

Like a lobster shell, security has layers — review code before you run it.

latestvk9732jq8zpn5rdj4msccaak53d84sm9p
78downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@simoncai519
latest
Download

Shopify Development MCP (shopify-dev-mcp)

Provides a workflow to interact with Shopify's development ecosystem via the shopify-dev MCP server. It enables searching documentation, introspecting GraphQL schemas, validating Liquid/theme code, and building Shopify extensions while avoiding hallucinations.

Trigger Scenarios

  • "How do I create a product using the Admin API?"
  • "Show me the fields on the Order GraphQL type."
  • "Validate this Liquid snippet for a theme."
  • "I need to explore the Storefront API schema."
  • "Help me build a Shopify app that uses Polaris components."
  • "Debug a GraphQL error from Shopify."

Core Workflow

  1. Initialize – Call learn_shopify_api for the required technology (admin, storefront-graphql, liquid, polaris) and capture the returned conversationId.
  2. Search Documentation – Use search_docs_chunks for semantic search or fetch_full_docs for full pages.
  3. Introspect Schema – Run introspect_graphql_schema with the conversationId to get up‑to‑date types and fields.
  4. Validate Code – Depending on the content:
    • GraphQL: validate_graphql_codeblocks
    • Polaris UI: validate_component_codeblocks
    • Liquid/theme: validate_theme
  5. Present Result – Return the validated code or documentation excerpt to the user.

Best Practices

  • Always start with step 1 and reuse the same conversationId for subsequent calls.
  • Wrap MCP CLI commands in single quotes when invoking via shell ('shopify-dev.tool(...)').
  • Prefer a local installation of @shopify/dev-mcp over npx for reliability.
  • Use absolute paths in the MCP configuration to avoid path resolution issues.
  • Validate any generated code before showing it to the user.

Usage Examples

# 1. Initialize for Admin GraphQL
learn_shopify_api tech:admin
# ⇒ returns conversationId=abc123

# 2. Search docs for "product creation"
search_docs_chunks query:"product creation" conversationId:abc123

# 3. Introspect the schema
introspect_graphql_schema conversationId:abc123

# 4. Validate a GraphQL mutation
validate_graphql_codeblocks conversationId:abc123 codeblocks:[{content:"mutation { productCreate(input:{title:\"New\"}) { product { id } userErrors { field message } } }"}]

# 5. Validate a Liquid snippet
validate_theme conversationId:abc123 path:"/tmp/theme" files:["snippets/header.liquid"]

References

  • See references/api-guide.md for full API details, GraphQL schema listings, Liquid validation options, and MCP server setup.

Created by Simon Cai · More e-commerce skills: github.com/simoncai519/open-accio-skill

Comments

Loading comments...