← Back to Skills Marketplace
icosmos.space
by
王新勇(Tacey Wong)
· GitHub ↗
· v0.0.1
· MIT-0
204
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install icosmos-space
Description
Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。
README (SKILL.md)
\r \r
icosmos-shopify\r
\r
面向 OpenClaw 触发的 Shopify 运营能力集合:以只读诊断为主,帮助定位转化/营销/商品问题;唯一写操作是发布 Shopify Blog 文章(需要明确 --confirm)。\r
\r
\r
\r
触发\r
\r
- 适用场景关键词:店铺审计、装修优化、产品优化、结账/checkout 测试、转化下降、营销效果差、发布博客/引流文章。\r
- 触发后执行顺序:\r
setup once:用ICOSMOS_USER_EMAIL/ICOSMOS_USER_PASSWORD同步店铺与 token 到本地缓存\rcontent/*:拉原始数据(更全面、更可追溯)\raudit/*/test checkout:给诊断与验证\rblog publish:仅当明确需要发布时执行(必须--confirm)\r \r
快速参考\r
\r
| 诉求 | 命令 |\r
|---|---|\r
| Setup Once:从 Supabase 同步店铺/token 到本地 | icosmos-shopify setup once |\r
| 列出店铺 | icosmos-shopify stores list |\r
| 获取店铺基础信息(原始数据) | icosmos-shopify content shop --store xxx.myshopify.com |\r
| 获取产品列表(原始数据,分页) | icosmos-shopify content products list --store xxx.myshopify.com --first 20 --after \x3Ccursor> |\r
| 获取订单列表(原始数据,时间窗) | icosmos-shopify content orders list --store xxx.myshopify.com --start \x3CRFC3339> --end \x3CRFC3339> |\r
| 获取博客列表/文章(原始数据) | icosmos-shopify content blogs list --store xxx.myshopify.com / icosmos-shopify content blogs articles list --store xxx.myshopify.com --blog-id 123 |\r
| 装修检查单(只读) | icosmos-shopify audit theme --store xxx.myshopify.com |\r
| 产品质量诊断(只读) | icosmos-shopify audit products --store xxx.myshopify.com --limit 50 |\r
| 结账链路测试(只读) | icosmos-shopify test checkout --store xxx.myshopify.com |\r
| 经营指标与异常线索(只读) | icosmos-shopify audit metrics --store xxx.myshopify.com --days 7 |\r
| 发布引流博文(写操作) | icosmos-shopify blog publish --store xxx.myshopify.com --blog-id 123 --title ... --body-file article.html --confirm |\r
\r
输出协议(给 OpenClaw 更稳定)\r
\r
- 默认推荐
--format json(content/*默认就是 json),统一结构:\rstore_domain/api_version/meta/data\r
- 分页信息:\r
- GraphQL:
meta.page_info.has_next_page/end_cursor\r - REST:
meta.page_info.next_link(来自Link: rel="next")\r \r
- GraphQL:
依赖与配置\r
\r \r
- Setup Onece:\r
\r
ICOSMOS_USER_EMAIL\rICOSMOS_USER_PASSWORD\r \r 两个字段需要保存到系统环境变量\r \r 所需命令行工具为当前目录下的icosmos-shopify\r \r
Shopify\r
\r
SHOPIFY_API_VERSION(默认2026-01)\r \r
安全边界(重要)\r
\r
- 默认只读:装修/产品/指标/结账测试均不对 Shopify 做写入。\r
- 唯一写操作:发布博客:必须提供
--confirm;否则即使参数齐全也只会 dry-run。\r - 日志脱敏:店铺 token 只显示前后 4 位(
abcd...wxyz)。\r - 敏感字段处理:订单 email 等敏感字段默认不输出(或置空),避免在群聊/日志泄露。\r \r
常见问题与排障\r
\r
- 401/403:Admin token scopes 不足或 token 过期;确认 Shopify Custom App 的 Admin API access token 与权限。\r
- 429 Too Many Requests:已做退避重试;如果频繁触发,降低并发/减少拉取字段/缩小时间范围。\r
- Storefront 430 Security Rejection:请求可能被判定为异常;需要检查请求来源、token 是否正确,必要时增加更真实的请求头策略(后续增强)。\r \r
参考文档\r
\r
Usage Guidance
Do not install or provide credentials yet. Ask the publisher to clarify: (1) exactly how Supabase is authenticated (Supabase URL and which key/role is used) and why ICOSMOS_USER_EMAIL/ICOSMOS_USER_PASSWORD are needed instead of a service key; (2) where the ./icosmos-shopify binary comes from (source repo or release) and provide a reproducible install method; (3) where and how fetched Shopify admin tokens are cached, encrypted, and rotated; (4) what exact Shopify API scopes are required and why; (5) whether sensitive fields are removed before any external transmission and which external endpoints are contacted. If you proceed, limit exposure by using least-privilege credentials (narrow Shopify scopes, short-lived tokens or dedicated read-only tokens where possible), run the CLI in an isolated environment, review the CLI source or vendor-supplied binary, and never put long-lived admin keys in a shared environment until you validate the implementation. If the publisher cannot answer these questions and provide an install/source for the CLI, treat the skill as unsafe.
Capability Analysis
Type: OpenClaw Skill
Name: icosmos-space
Version: 0.0.1
The skill requires the user to provide sensitive credentials (ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD) to synchronize Shopify store tokens from a remote Supabase instance to a local cache. While the instructions in SKILL.md describe a legitimate-sounding Shopify management tool, the pattern of collecting user credentials to fetch and store high-value API tokens locally via an external binary (icosmos-shopify) poses a significant security risk for credential harvesting or unauthorized token access.
Capability Assessment
Purpose & Capability
The skill claims to be a Shopify audit/diagnostic tool (read-only, with a single write action to publish blogs). That purpose is coherent with operations like fetching shop, product, order, and blog data. However, the SKILL.md also says it will 'pull store domain & token from Supabase' and requires the user to save ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD to environment variables; none of these required credentials or access mechanisms are declared in the registry metadata. The dependency on Supabase for tokens is plausible but not explained (no Supabase URL, anon/service key, or role described), making the credential flow unclear and disproportionate to the declared registry requirements.
Instruction Scope
The SKILL.md instructs the agent to sync tokens from Supabase, read shop data (orders, products, themes), redact sensitive fields, and only perform blog publish when --confirm is given. It also tells users to store ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD in system environment variables and references a local CLI binary './icosmos-shopify'. The instructions thus assume access to: (a) Supabase-stored tokens, (b) user email/password stored in env, and (c) a local CLI. Those assumptions are not reflected in the declared requirements, and they involve handling sensitive data (admin tokens, order emails). The document's sanitization claims reduce risk but are implementation promises rather than verifiable controls.
Install Mechanism
There is no install spec and no code files (instruction-only), which is lowest-risk in theory. But the instructions expect a local CLI binary named icosmos-shopify in the current directory. The registry metadata lists no required binaries. This mismatch is important: the skill appears to rely on an external, unspecified binary (or code) that would need to be present or installed out-of-band, and that binary would perform the sensitive network and storage operations described.
Credentials
The SKILL.md requires ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD to be saved in environment variables and references SHOPIFY_API_VERSION; it also expects access to stored Shopify admin tokens pulled from Supabase. Yet the skill metadata declares no required env vars or primary credential. Requesting user email/password and access to admin tokens is sensitive and should be explicitly declared and justified (why email/password rather than a Supabase service key? how are tokens protected?). The amount and type of sensitive access described is not proportional to the registry declarations.
Persistence & Privilege
always is false and autonomous invocation is allowed (normal). The SKILL.md says it will 'sync shop & token to local cache' (setup once), implying it will persist fetched admin tokens locally. That behavior is not reflected in metadata and has persistence/privacy implications (local storage of admin tokens). The skill does have an explicit guard for writes (blog publish requires --confirm), which is a positive control, but the persistence of tokens should be clarified (where stored, encryption, lifecycle, deletion/rotation).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install icosmos-space - After installation, invoke the skill by name or use
/icosmos-space - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
icosmos-shopify 0.0.1 – Initial Release
- Introduces a set of Shopify store audit and diagnostics commands, mainly read-only, triggered by OpenClaw.
- Provides commands for store sync, data retrieval (shop, products, orders, blogs), theme checks, product diagnostics, checkout testing, and metrics analysis.
- Supports a single write action: publishing a Shopify Blog article with explicit confirmation.
- Implements consistent output (JSON recommended), pagination handling, and security boundaries (tokens masked, sensitive info omitted).
- Includes troubleshooting notes for common Shopify API errors and limiting scenarios.
Metadata
Frequently Asked Questions
What is icosmos.space?
Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。 It is an AI Agent Skill for Claude Code / OpenClaw, with 204 downloads so far.
How do I install icosmos.space?
Run "/install icosmos-space" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is icosmos.space free?
Yes, icosmos.space is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does icosmos.space support?
icosmos.space is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created icosmos.space?
It is built and maintained by 王新勇(Tacey Wong) (@taceywong); the current version is v0.0.1.
More Skills