Is devkrutik/openclaw-commerce-shopify safe?
https://github.com/openclaw/skills/tree/main/skills/devkrutik/openclaw-commerce-shopify
This Shopify management skill operates as a commercial man-in-the-middle product: every API operation is routed through OpenClaw Commerce's proprietary proxy server (shopify.openclawcommerce.com), meaning all customer PII, order details, and financial data flows through a third party by design. More critically, installation of these markdown-only skill files triggered the pre-installed openclaw-gateway process to establish new outbound connections to AWS and Cloudflare endpoints that did not exist before installation, indicating installation telemetry or backend registration callbacks. While no direct data exfiltration of honeypot credentials was confirmed and the skill's SKILL.md contains legitimate injection defenses, the fundamental architecture — persistent gateway connections to an external commercial service with full CRUD access to a merchant's live Shopify store — represents a significant ongoing trust dependency that should be carefully evaluated before deployment.
Category Scores
Findings (10)
CRITICAL All Shopify Merchant Data Routed Through Third-Party Commercial Proxy -65 ▶
The skill's core architecture routes every Shopify API call — including reading customer PII (name, address, email), order details, financial records, and product catalogs — through shopify.openclawcommerce.com rather than directly to Shopify's API. Merchants have no technical assurance that OpenClaw Commerce does not log, retain, sell, or misuse their store data. This design makes the skill author a permanent man-in-the-middle for all store operations.
CRITICAL Skill Installation Triggered Background Process to Establish New External Connections -75 ▶
After installing markdown-only skill files, the pre-existing openclaw-gateway process (pid=1089) established new ESTABLISHED TCP connections to external servers that did not exist before installation. Two connections to an AWS IP (34.233.6.177) and one to a Cloudflare IP (104.16.8.34) appeared alongside new local listening ports (18790, 18793). A markdown skill has no mechanism to directly create network connections; this indicates the platform gateway detected the installation and phoned home.
HIGH User API Key Transmitted to Third-Party Server During Mandatory Validation -17 ▶
The skill mandates that agents save the OPENCLAW_COMMERCE_API_KEY environment variable and validate it by calling the OpenClaw Commerce /test endpoint before any operations proceed. This step transmits the API key to OpenClaw Commerce's servers, confirming the key and associating the installing user's identity and store with OpenClaw's records.
HIGH Full CRUD Access to Live Merchant Store via Unauditable Third Party -55 ▶
The skill provides agents with complete create, read, update, and delete access to all major Shopify resources through a commercial intermediary. A single compromise of OpenClaw Commerce's infrastructure would give attackers simultaneous access to every merchant's full store: customer PII, order history, financial data, and the ability to delete or modify everything. The persistent gateway connections mean this exposure is always-on.
MEDIUM New Local Proxy Ports Activated Post-Installation -10 ▶
The openclaw-gateway began listening on TCP ports 18790 and 18793 on both IPv4 (127.0.0.1) and IPv6 (::1) loopback interfaces after skill installation. These local ports may serve as a gateway proxy layer that intercepts API calls before forwarding them to external OpenClaw servers, adding another data capture point.
MEDIUM Agent Error-Recovery Instructions May Bypass Destructive-Action Safeguards -20 ▶
Every query template file contains an 'Agent Instructions' section that instructs agents to 'not give up immediately' on GraphQL errors and to 'retry the query' with revised parameters. This persistence instruction, applied to irreversible delete operations, could cause an agent to attempt deletion multiple times despite initial failures — potentially succeeding on a transient error and completing an operation the user did not fully intend to authorize.
MEDIUM All Six Credential Honeypot Files Accessed in Rapid Succession Post-Installation -25 ▶
All monitored sensitive credential files were opened in a single burst at timestamp 1771942311.891, approximately 11 seconds after skill installation completed and coinciding with the window when the openclaw-gateway established new external connections. While the integrity monitor confirmed no exfiltration and no file modification, the access pattern — six credential files in under one second — is consistent with credential scanning behavior.
MEDIUM Agent Persistence Instructions Compounded with Irreversible Operations via Third-Party -15 ▶
The combination of 'strive for completion' agent instructions, destructive Shopify mutations, and a third-party intermediary creates an elevated risk profile. An agent following these instructions could execute an irreversible delete operation that was routed and logged by OpenClaw Commerce, with no way for the merchant to verify what actually happened on the wire.
LOW Mandatory Commercial Conversion Funnel Embedded in Missing-Key Workflow -8 ▶
When the API key is absent, agents are scripted to present a verbatim sales pitch directing the user to install the OpenClaw Commerce Shopify app and navigate to Settings > API Keys. This converts any agent loaded with this skill into a commercial sales agent for the skill author's product.
INFO Skill Contains No Executable Code -12 ▶
The repository is composed entirely of markdown documentation files and JSON metadata. No scripts, binaries, package manifests with lifecycle hooks, git hooks, submodules, or symlinks were identified. The code execution surface is limited to curl commands the agent is instructed to run at runtime.