← Back to Skills Marketplace
taceywong

icosmos shopify

by 王新勇(Tacey Wong) · GitHub ↗ · v0.0.1 · MIT-0
cross-platform ⚠ suspicious
485
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install icosmos-shopify
Description
Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。
README (SKILL.md)

\r \r

icosmos-shopify\r

\r 面向 OpenClaw 触发的 Shopify 运营能力集合:以只读诊断为主,帮助定位转化/营销/商品问题;唯一写操作是发布 Shopify Blog 文章(需要明确 --confirm)。\r \r \r \r

触发\r

\r

  • 适用场景关键词:店铺审计、装修优化、产品优化、结账/checkout 测试、转化下降、营销效果差、发布博客/引流文章。\r
  • 触发后执行顺序:\r
    1. setup once:用 ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD 同步店铺与 token 到本地缓存\r
    2. content/*:拉原始数据(更全面、更可追溯)\r
    3. audit/* / test checkout:给诊断与验证\r
    4. blog publish:仅当明确需要发布时执行(必须 --confirm)\r \r

快速参考\r

\r | 诉求 | 命令 |\r |---|---|\r | Setup Once:从 Supabase 同步店铺/token 到本地 | icosmos-shopify setup once |\r | 列出店铺 | icosmos-shopify stores list |\r | 获取店铺基础信息(原始数据) | icosmos-shopify content shop --store xxx.myshopify.com |\r | 获取产品列表(原始数据,分页) | icosmos-shopify content products list --store xxx.myshopify.com --first 20 --after \x3Ccursor> |\r | 获取订单列表(原始数据,时间窗) | icosmos-shopify content orders list --store xxx.myshopify.com --start \x3CRFC3339> --end \x3CRFC3339> |\r | 获取博客列表/文章(原始数据) | icosmos-shopify content blogs list --store xxx.myshopify.com / icosmos-shopify content blogs articles list --store xxx.myshopify.com --blog-id 123 |\r | 装修检查单(只读) | icosmos-shopify audit theme --store xxx.myshopify.com |\r | 产品质量诊断(只读) | icosmos-shopify audit products --store xxx.myshopify.com --limit 50 |\r | 结账链路测试(只读) | icosmos-shopify test checkout --store xxx.myshopify.com |\r | 经营指标与异常线索(只读) | icosmos-shopify audit metrics --store xxx.myshopify.com --days 7 |\r | 发布引流博文(写操作) | icosmos-shopify blog publish --store xxx.myshopify.com --blog-id 123 --title ... --body-file article.html --confirm |\r \r

输出协议(给 OpenClaw 更稳定)\r

\r

  • 默认推荐 --format jsoncontent/* 默认就是 json),统一结构:\r
    • store_domain / api_version / meta / data\r
  • 分页信息:\r
    • GraphQL:meta.page_info.has_next_page/end_cursor\r
    • REST:meta.page_info.next_link(来自 Link: rel="next")\r \r

依赖与配置\r

\r \r

  • Setup Onece:\r \r
    • ICOSMOS_USER_EMAIL\r
    • ICOSMOS_USER_PASSWORD\r \r 两个字段需要保存到系统环境变量\r \r 所需命令行工具为当前目录下的icosmos-shopify\r \r

Shopify\r

\r

  • SHOPIFY_API_VERSION(默认 2026-01)\r \r

安全边界(重要)\r

\r

  • 默认只读:装修/产品/指标/结账测试均不对 Shopify 做写入。\r
  • 唯一写操作:发布博客:必须提供 --confirm;否则即使参数齐全也只会 dry-run。\r
  • 日志脱敏:店铺 token 只显示前后 4 位(abcd...wxyz)。\r
  • 敏感字段处理:订单 email 等敏感字段默认不输出(或置空),避免在群聊/日志泄露。\r \r

常见问题与排障\r

\r

  • 401/403:Admin token scopes 不足或 token 过期;确认 Shopify Custom App 的 Admin API access token 与权限。\r
  • 429 Too Many Requests:已做退避重试;如果频繁触发,降低并发/减少拉取字段/缩小时间范围。\r
  • Storefront 430 Security Rejection:请求可能被判定为异常;需要检查请求来源、token 是否正确,必要时增加更真实的请求头策略(后续增强)。\r \r

参考文档\r

\r

Usage Guidance
Do not install or run this skill until the author clarifies several points: (1) provide accurate registry metadata listing required env vars and credentials (ICOMSOS_USER_EMAIL/PASSWORD and any Supabase connection info), (2) explain exactly how Supabase is accessed and which credentials/URLs are needed, (3) supply or point to the 'icosmos-shopify' binary source and its install instructions, (4) confirm where shop/admin tokens are stored (local cache path, encryption, retention), (5) ensure least-privilege Shopify tokens (read-only scopes) are used and verify the blog-publish flow and audit/logging, and (6) avoid setting permanent system-wide environment variables for secrets — prefer ephemeral secrets or a secure secret store. If you must test now, run in an isolated environment, inspect the binary/source first, and do not expose full admin tokens or production credentials until you have verified behavior.
Capability Analysis
Type: OpenClaw Skill Name: icosmos-shopify Version: 0.0.1 The skill requires the agent to handle sensitive credentials (ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD) to synchronize Shopify access tokens from a remote Supabase database to a local cache. This architecture, described in SKILL.md, involves storing credentials in environment variables and fetching tokens via an external binary (icosmos-shopify) whose source is not provided. While the stated purpose is store auditing, the mechanism for centralized token retrieval and credential handling is high-risk and could be leveraged for unauthorized access or credential harvesting.
Capability Assessment
Purpose & Capability
The skill description says it pulls shop domains and tokens from Supabase and performs diagnostics (read-only) with a single write action (publish blog). However the registry metadata declares no required environment variables or primary credential, while SKILL.md requires ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD and references a local CLI ('icosmos-shopify'). This mismatch suggests the declared metadata does not match the runtime needs.
Instruction Scope
Runtime instructions direct the agent to sync tokens from Supabase into a local cache (sensitive operation) and to store ICOSMOS_USER_EMAIL/ICOSMOS_USER_PASSWORD as system environment variables. The doc also instructs use of a local 'icosmos-shopify' binary (not provided). Although it states most operations are read-only and only blog publish is a write requiring --confirm, the handling, storage, and transmission of shop/admin tokens and the unspecified Supabase access flow are not described and could enable exfiltration or misuse.
Install Mechanism
There is no install spec and no code/binaries included. Yet SKILL.md expects a CLI named 'icosmos-shopify' in the current directory. That missing artifact is an incoherence: either the skill assumes an out-of-band install or the metadata is incomplete. Lack of an install spec reduces immediate execution risk but increases ambiguity about where the binary would come from.
Credentials
SKILL.md requires ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD (to be saved as environment variables) and will read/store Shopify tokens from Supabase. The registry metadata lists no required env vars. Sensitive variables are requested without clear justification for their scope, how they are protected, or why Supabase access credentials (or connection info) are not declared. This is disproportionate and under-specified.
Persistence & Privilege
always:false (normal) and the skill can be invoked autonomously (platform default). The doc says tokens are cached locally and environment variables are stored — this grants persistence on the host but is not requesting platform-wide privileges. Still, persistent local storage of admin tokens should be treated as a risk unless you verify storage protections.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install icosmos-shopify
  3. After installation, invoke the skill by name or use /icosmos-shopify
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
Initial release of icosmos-shopify: Shopify store operation and diagnostics tool. - Provides read-only diagnostic capabilities for store auditing, theme/product checks, checkout testing, and metrics monitoring. - Only write action is publishing Shopify blog posts, requires explicit --confirm flag. - Syncs store domains and tokens from Supabase at setup. - Outputs data in a unified JSON structure for OpenClaw; sensitive data is masked by default. - Includes robust error handling and security boundaries for safe diagnostics.
Metadata
Slug icosmos-shopify
Version 0.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is icosmos shopify?

Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。 It is an AI Agent Skill for Claude Code / OpenClaw, with 485 downloads so far.

How do I install icosmos shopify?

Run "/install icosmos-shopify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is icosmos shopify free?

Yes, icosmos shopify is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does icosmos shopify support?

icosmos shopify is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created icosmos shopify?

It is built and maintained by 王新勇(Tacey Wong) (@taceywong); the current version is v0.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments