Description

Shopify 店铺运营/诊断技能：从 Supabase 拉取店铺域名与 token，做装修/产品/结账/指标异常检测，并支持发布引流博文（唯一写操作）。

README (SKILL.md)

\r \r

icosmos-shopify\r

Name: icosmos shop
Author: taceywong

\r 面向 OpenClaw 触发的 Shopify 运营能力集合：以只读诊断为主，帮助定位转化/营销/商品问题；唯一写操作是发布 Shopify Blog 文章（需要明确 --confirm）。\r \r \r \r

触发\r

\r

适用场景关键词：店铺审计、装修优化、产品优化、结账/checkout 测试、转化下降、营销效果差、发布博客/引流文章。\r
触发后执行顺序：\r
1. setup once：用 ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD 同步店铺与 token 到本地缓存\r
2. content/*：拉原始数据（更全面、更可追溯）\r
3. audit/* / test checkout：给诊断与验证\r
4. blog publish：仅当明确需要发布时执行（必须 --confirm）\r \r

快速参考\r

\r | 诉求 | 命令 |\r |---|---|\r | Setup Once：从 Supabase 同步店铺/token 到本地 | icosmos-shopify setup once |\r | 列出店铺 | icosmos-shopify stores list |\r | 获取店铺基础信息（原始数据） | icosmos-shopify content shop --store xxx.myshopify.com |\r | 获取产品列表（原始数据，分页） | icosmos-shopify content products list --store xxx.myshopify.com --first 20 --after \x3Ccursor> |\r | 获取订单列表（原始数据，时间窗） | icosmos-shopify content orders list --store xxx.myshopify.com --start \x3CRFC3339> --end \x3CRFC3339> |\r | 获取博客列表/文章（原始数据） | icosmos-shopify content blogs list --store xxx.myshopify.com / icosmos-shopify content blogs articles list --store xxx.myshopify.com --blog-id 123 |\r | 装修检查单（只读） | icosmos-shopify audit theme --store xxx.myshopify.com |\r | 产品质量诊断（只读） | icosmos-shopify audit products --store xxx.myshopify.com --limit 50 |\r | 结账链路测试（只读） | icosmos-shopify test checkout --store xxx.myshopify.com |\r | 经营指标与异常线索（只读） | icosmos-shopify audit metrics --store xxx.myshopify.com --days 7 |\r | 发布引流博文（写操作） | icosmos-shopify blog publish --store xxx.myshopify.com --blog-id 123 --title ... --body-file article.html --confirm |\r \r

输出协议（给 OpenClaw 更稳定）\r

\r

默认推荐 --format json（content/* 默认就是 json），统一结构：\r
- store_domain / api_version / meta / data\r
分页信息：\r
- GraphQL：meta.page_info.has_next_page/end_cursor\r
- REST：meta.page_info.next_link（来自 Link: rel="next"）\r \r

依赖与配置\r

\r \r

Setup Onece：\r \r
- ICOSMOS_USER_EMAIL\r
- ICOSMOS_USER_PASSWORD\r \r 两个字段需要保存到系统环境变量\r \r 所需命令行工具为当前目录下的icosmos-shopify\r \r

Shopify\r

\r

SHOPIFY_API_VERSION（默认 2026-01）\r \r

安全边界（重要）\r

\r

默认只读：装修/产品/指标/结账测试均不对 Shopify 做写入。\r
唯一写操作：发布博客：必须提供 --confirm；否则即使参数齐全也只会 dry-run。\r
日志脱敏：店铺 token 只显示前后 4 位（abcd...wxyz）。\r
敏感字段处理：订单 email 等敏感字段默认不输出（或置空），避免在群聊/日志泄露。\r \r

常见问题与排障\r

\r

401/403：Admin token scopes 不足或 token 过期；确认 Shopify Custom App 的 Admin API access token 与权限。\r
429 Too Many Requests：已做退避重试；如果频繁触发，降低并发/减少拉取字段/缩小时间范围。\r
Storefront 430 Security Rejection：请求可能被判定为异常；需要检查请求来源、token 是否正确，必要时增加更真实的请求头策略（后续增强）。\r \r

参考文档\r

\r

Usage Guidance

Do not install or enable this skill yet. Ask the publisher for: (1) source code or an install package and a verifiable origin for the 'icosmos-shopify' binary; (2) exact Supabase connection details (URL, required credentials) and why ICOSMOS_USER_EMAIL/ICOSMOS_USER_PASSWORD are needed; (3) where and how tokens are cached on disk and how long they persist; (4) proof that log redaction and the '--confirm' publish guard are actually enforced. If you must test it, run it in an isolated environment (ephemeral VM/container), avoid setting global env vars for passwords, and provide minimally-scoped Shopify tokens (least privilege). If you cannot get clear answers and source/install provenance, treat the skill as untrusted.

Capability Analysis

Type: OpenClaw Skill Name: icosmos-shop Version: 0.0.1 The skill requires sensitive user credentials (ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD) to synchronize Shopify API tokens from a remote Supabase instance to a local cache. This pattern of handling plaintext passwords and third-party token synchronization is high-risk, as it creates a central point for potential credential harvesting. Furthermore, the core logic is executed via an external binary (icosmos-shopify) mentioned in SKILL.md but not provided for analysis, preventing verification of whether the Shopify tokens or user credentials are exfiltrated to unauthorized domains.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md describes a Shopify diagnostic tool (read-only plus a single blog-publish write action), which is coherent with the skill name. However the doc also says it pulls shop domains and API tokens from Supabase and requires ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD to 'sync' tokens to a local cache — none of these required credentials or the Supabase endpoint/key are declared in the registry metadata. The need for a user password to read a Supabase-stored token is unexplained and disproportionate without more context.

⚠ Instruction Scope

Instructions direct the agent to fetch tokens from Supabase, run a locally-present CLI named 'icosmos-shopify', and write tokens to a local cache. There is no guidance about the Supabase connection (URL/keys), where the local cache is stored, or how long tokens persist. While the diagnostic steps themselves are within the stated purpose, the instructions include reading and persisting sensitive secrets (shop tokens) without specifying protections or provenance, and they assume the presence of a local binary that was not provided.

⚠ Install Mechanism

This is instruction-only and has no install spec, yet the SKILL.md repeatedly references a local CLI ('./icosmos-shopify' or current-dir binary). The registry metadata lists no required binaries. That mismatch is a red flag: the skill will not work unless an external binary is supplied, and there is no secure or reviewed install mechanism or provenance for that binary described.

⚠ Credentials

Registry metadata declared no required env vars, but SKILL.md requires ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD (to be saved into system env) and optionally SHOPIFY_API_VERSION. It also implies access to Supabase-held tokens but does not declare or justify Supabase credentials. Requesting a user password stored as an env var and pulling API tokens from an external DB without declaring required secrets is disproportionate and inconsistent.

ℹ Persistence & Privilege

The skill does not request 'always: true' and is user-invocable (normal). However SKILL.md instructs syncing tokens to a local cache (persistence) which increases long-term privilege: cached tokens could be reused by the agent later. The document claims log redaction and requires an explicit '--confirm' for publish actions, which are mitigating controls if honestly implemented — but their implementation is not provided here.

Version History

v0.0.1

Initial release of icosmos-shopify skill. - Provides Shopify store audit and diagnostics, focusing on read-only operations for store, product, checkout, and metrics analysis. - Only write operation supported is publishing a Shopify Blog post, which requires explicit --confirm. - Synchronizes store domains and tokens from Supabase, with command-line workflows for data retrieval and diagnostics. - Enhanced security: sensitive data is masked or excluded, and logs are desensitized. - Includes quick command reference, JSON output structure, pagination details, and troubleshooting guidance.

Metadata

Slug icosmos-shop

Version 0.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is icosmos shop?

Shopify 店铺运营/诊断技能：从 Supabase 拉取店铺域名与 token，做装修/产品/结账/指标异常检测，并支持发布引流博文（唯一写操作）。 It is an AI Agent Skill for Claude Code / OpenClaw, with 224 downloads so far.

How do I install icosmos shop?

Run "/install icosmos-shop" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is icosmos shop free?

Yes, icosmos shop is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does icosmos shop support?

icosmos shop is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created icosmos shop?

It is built and maintained by 王新勇(Tacey Wong) (@taceywong); the current version is v0.0.1.

More Skills

icosmos shop