Skip to main content

shopify

Enables interaction with Shopify's Admin and Storefront GraphQL APIs using curl for managing products, orders, and customers.

Install this skill

or
59/100

Security score

The shopify skill was audited on May 23, 2026 and we found 17 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 68

Template literal with variable interpolation in command context

SourceSKILL.md
68```bash
medium line 304

Template literal with variable interpolation in command context

SourceSKILL.md
304```bash
medium line 337

Webhook reference - potential data exfiltration

SourceSKILL.md
337## Webhooks
low line 343

Webhook reference - potential data exfiltration

SourceSKILL.md
343mutation($topic: WebhookSubscriptionTopic!, $sub: WebhookSubscriptionInput!) {
low line 344

Webhook reference - potential data exfiltration

SourceSKILL.md
344webhookSubscriptionCreate(topic: $topic, webhookSubscription: $sub) {
low line 345

Webhook reference - potential data exfiltration

SourceSKILL.md
345webhookSubscription { id topic endpoint { __typename ... on WebhookHttpEndpoint { callbackUrl } } }
low line 348

Webhook reference - potential data exfiltration

SourceSKILL.md
348}' '{"topic":"ORDERS_CREATE","sub":{"callbackUrl":"https://example.com/webhook","format":"JSON"}}'
medium line 351

Webhook reference - potential data exfiltration

SourceSKILL.md
351Verify incoming webhook HMAC using the app's client secret (not the access token):
medium line 39

Access to hidden dotfiles in home directory

SourceSKILL.md
394. Save to `~/.hermes/.env`:
medium line 39

Access to .env file

SourceSKILL.md
394. Save to `~/.hermes/.env`:
low line 25

External URL reference

SourceSKILL.md
25homepage: https://shopify.dev/docs/api/admin-graphql
low line 59

External URL reference

SourceSKILL.md
59- **Endpoint:** `https://$SHOPIFY_STORE_DOMAIN/admin/api/$SHOPIFY_API_VERSION/graphql.json`
low line 73

External URL reference

SourceSKILL.md
73"https://${SHOPIFY_STORE_DOMAIN}/admin/api/${SHOPIFY_API_VERSION:-2026-01}/graphql.json" \
low line 107

External URL reference

SourceSKILL.md
107Query syntax supports `title:`, `sku:`, `vendor:`, `product_type:`, `status:active`, `tag:`, `created_at:>2025-01-01`. Full grammar: https://shopify.dev/docs/api/usage/search-syntax
low line 300

External URL reference

SourceSKILL.md
300- **Endpoint:** `https://$SHOPIFY_STORE_DOMAIN/api/$SHOPIFY_API_VERSION/graphql.json`
low line 306

External URL reference

SourceSKILL.md
306"https://${SHOPIFY_STORE_DOMAIN}/api/${SHOPIFY_API_VERSION:-2026-01}/graphql.json" \
low line 348

External URL reference

SourceSKILL.md
348}' '{"topic":"ORDERS_CREATE","sub":{"callbackUrl":"https://example.com/webhook","format":"JSON"}}'
Scanned on May 23, 2026
View Security Dashboard
Installation guide →
GitHub Stars 185.0K
Rate this skill
Categorymarketing
UpdatedJune 10, 2026
openclawapiproduct-marketergrowth-marketermarketing
NousResearch/hermes-agent