← Back to Skills Marketplace
maverick

Shopify mcp

by Maverick · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
30
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install maverick-shopify-mcp
Description
Search, read, and work with Shopify products, variants, catalog discovery, sellers, and checkout links via Shopify's configured MCP server (https://catalog.s...
README (SKILL.md)

Shopify

Quick start

Always invoke through bash {baseDir}/scripts/invoke.sh — never call mcporter directly. The wrapper seeds the OAuth vault from the env-supplied tokens when needed, then calls mcporter.

bash {baseDir}/scripts/invoke.sh list maverick-shopify --schema

For structured output (also surfaces transport errors as JSON envelopes — workaround for mcporter #153):

bash {baseDir}/scripts/invoke.sh call --output json maverick-shopify.TOOL_NAME key=value | jq '.result.content'

Safety

Write operations that create, publish, update, or expose products, variants, catalog data, seller records, checkout links, or externally visible product links can affect customer-facing commerce flows. Confirm clear user intent before invoking write tools — search and read tools are safe to call freely while exploring. Search products before assuming product or variant IDs, and read product and variant details before recommending or linking items.

Authentication

Tokens are provisioned and rotated automatically. If a call returns HTTP 401 that doesn't recover within a few seconds, the OAuth grant has been revoked — re-authorize the integration to refresh credentials.

Data flow

Tool calls travel to Shopify's configured MCP service at https://catalog.shopify.com/api/ucp/mcp over HTTPS, authenticated via OAuth. Shopify sees the product, variant, catalog, seller, and checkout-link data referenced by each call. Use this skill for Shopify-related work only; do not pass unrelated sensitive content through these tools.

Dependencies

  • mcporter (github.com/steipete/mcporter) — MCP CLI used to invoke Shopify's configured MCP server. Auto-installed via npm install -g --ignore-scripts mcporter if missing on PATH (see install spec in frontmatter). The install spec uses unpinned mcporter (npm latest); operators with strict supply-chain controls should override the install to pin a specific version (e.g. mcporter@\x3Cversion>).
  • jq (stedolan.github.io/jq) — JSON processor used by the vault initializer. System dependency; install via your OS package manager (apt install jq, brew install jq, etc.).
  • flock (part of util-linux) — file locking used to serialize concurrent vault writes. Available by default on Linux; on macOS install via brew install flock.
  • shasum (Perl, ships with Digest::SHA) — computes the SHA-256 hashes used to derive the mcporter vault key and the provisioned-token marker. Preinstalled on macOS and on Debian/Ubuntu (incl. the deployed cloudflare/sandbox Ubuntu 22.04 image); on minimal Linux images install perl-Digest-SHA. The script invokes shasum -a 256 rather than GNU sha256sum so it runs on stock macOS without coreutils.
Usage Guidance
Install this only if you intend to connect an agent to Shopify's catalog MCP service. Use scoped and revocable OAuth tokens, protect ~/.mcporter/credentials.json, review the available MCP tool schema, explicitly approve any customer-facing write action, and consider pinning the mcporter npm package for supply-chain control.
Capability Analysis
Type: OpenClaw Skill Name: maverick-shopify-mcp Version: 1.0.0 The skill provides a legitimate integration with Shopify's MCP server (catalog.shopify.com) for product and catalog discovery. The included scripts (init-mcporter.sh and invoke.sh) are well-structured and implement secure handling of OAuth tokens by seeding the mcporter vault using environment variables and file locking to prevent race conditions. It follows security best practices, such as passing secrets to jq via environment variables to avoid exposure in process listings, and contains no evidence of data exfiltration or malicious intent.
Capability Tags
requires-oauth-tokenrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The stated purpose, MCP server configuration, and agent prompt all align with Shopify product, variant, catalog, seller, and checkout-link work. The documented write capabilities are purpose-aligned but commercially sensitive.
Instruction Scope
The skill instructs agents to use the wrapper and to confirm clear user intent before write tools. This is appropriate, but safe use depends on the agent and user respecting that confirmation boundary.
Install Mechanism
The install path is disclosed and centered on the mcporter CLI, but the dependency is installed from npm without a pinned version.
Credentials
The required Shopify OAuth environment variables and external Shopify MCP calls are proportional to the integration, but they are sensitive and should be scoped to the intended Shopify work.
Persistence & Privilege
The wrapper seeds OAuth tokens into mcporter's local credentials vault and stores only a refresh-token hash marker in the skill directory. No background service or self-starting persistence is shown.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install maverick-shopify-mcp
  3. After installation, invoke the skill by name or use /maverick-shopify-mcp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of maverick-shopify-mcp - Search, read, and interact with Shopify products, variants, catalogs, sellers, and checkout links via Shopify's MCP server. - Secure OAuth authentication with automatic token management and rotation. - CLI usage via `bash {baseDir}/scripts/invoke.sh`, with JSON output support and error handling. - Clear safety guidelines for write operations affecting customer-facing data. - Documents required dependencies and install steps (mcporter, jq, flock, shasum).
Metadata
Slug maverick-shopify-mcp
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Shopify mcp?

Search, read, and work with Shopify products, variants, catalog discovery, sellers, and checkout links via Shopify's configured MCP server (https://catalog.s... It is an AI Agent Skill for Claude Code / OpenClaw, with 30 downloads so far.

How do I install Shopify mcp?

Run "/install maverick-shopify-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Shopify mcp free?

Yes, Shopify mcp is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Shopify mcp support?

Shopify mcp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Shopify mcp?

It is built and maintained by Maverick (@maverick); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments