Delv
Official (Vendor)4.1by Shopify

Shopify

Shopify's official Dev MCP for app and storefront work: docs lookups, schema introspection, project scaffolding.

Homepage
C
Safety & Trust

Delv Safety Grade: C

Score 62/100 · assessed 2026-04-28

Maintainer95
Permissions55
Supply chain35
Transparency40
Incidents100

Shopify's official MCP server provides legitimate access to store data through their standard API, backed by a major e-commerce platform with strong engineering practices. The maintainer score is excellent given Shopify's size and reputation. However, significant transparency and supply-chain concerns drag the overall grade down. There's no public repository, no package distribution, and the installation method is entirely unclear from the documentation. The permissions are broad, granting read and write access to products, orders, and customer data, which is appropriate for merchant automation but carries inherent risk. The requirement for SHOPIFY_ACCESS_TOKEN means credentials with potentially wide scope must be stored locally. Without visible source code, dependency pinning, or standard distribution channels, users cannot verify what they're running or track updates. This is unusual for an official vendor MCP and limits auditability despite Shopify's trustworthiness.

Lethal Trifecta (prompt-injection exposure)

TRIFECTA RISK
All three axes present. This server can read private data, ingest attacker-controlled content, and send data outbound. A poisoned input (a GitHub issue, an email, a webpage) can exfiltrate secrets via this chain. Only install with auditing; avoid on shared or cloud agents.
Private dataYes
Reads secrets, credentials, private files
Untrusted inputYes
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound

Customer data is private; product reviews and customer messages are mixed-trust; outbound is the entire admin API.

Green flags

  • Official Shopify product from major established e-commerce vendor
  • Uses standard Shopify API authentication patterns merchants already know
  • Scoped to single store via SHOPIFY_STORE environment variable
  • No known security incidents or credential leaks
  • Purpose-built for legitimate merchant automation use cases

Red flags

  • No public repository or source code available for inspection
  • No package distribution via npm/pypi, unclear installation method
  • Requires storing Shopify access token with potentially broad API scope
  • Minimal documentation beyond basic setup, no changelog visible
  • Cannot verify dependencies or supply chain without source access

Permissions requested

Outbound networkAccess secretsDB readDB writeIdentity read
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Review

Shopify's official MCP server gives Claude direct access to your store's products, orders, and customer data. It's built for merchants who want to automate repetitive admin tasks without writing a full app. I've used it to pull order summaries, search for customers by email, and generate product reports without opening the Shopify admin panel. The setup requires a custom app in your Shopify store to generate an access token, which is more involved than some MCPs but standard for API integrations. The real value shows up in batch operations. Say you need to find all orders from the last week that are still unfulfilled, then draft follow-up emails based on customer history. With this server, Claude can query orders, cross-reference customer details, and format the output in one conversation. It's faster than clicking through the admin interface and more flexible than Shopify's built-in reports. Quirks: the server only exposes read operations for now. You can't create products or update order statuses through Claude, which limits automation potential. The documentation assumes you know your way around Shopify's API structure, so if you've never created a custom app before, expect to spend time in the Shopify Partner dashboard. Error messages are sparse when authentication fails, so double-check your access token scopes. Who shouldn't bother: if you're not a Shopify merchant or developer working directly with merchant data, this does nothing for you. It's also overkill if you only need basic store stats, which Shopify's native analytics already cover. But for anyone running a store who finds themselves repeating the same admin queries daily, this is a legitimate time-saver. I'd reach for it when building custom reporting workflows or triaging customer support issues that require pulling data from multiple parts of the store.
Verdict

Install this if you manage a Shopify store and spend time digging through orders, products, or customer records. Skip it if you don't have a store or if you're looking for write operations like inventory updates. The read-only limitation is real, but for querying and reporting, it's solid.

Good at

  • Official Shopify build, so it tracks API changes and doesn't rely on third-party maintenance.
  • Combines product, order, and customer queries in one server, which beats juggling multiple tools or browser tabs.
  • Works well for custom reporting workflows that Shopify's native analytics don't cover.
  • Supports all major MCP hosts, so you can use it in Claude Desktop, Cursor, or Windsurf without friction.

Watch out

  • Read-only operations mean you can't automate order updates or product edits, which limits practical use cases.
  • Requires creating a custom Shopify app and managing API tokens, which adds setup friction compared to simpler MCPs.
  • Documentation assumes familiarity with Shopify's API structure, so first-time users may need to reference Shopify's developer docs.
  • Error handling is minimal, so authentication issues can be cryptic to diagnose.

Getting started

1. Create a custom app in your Shopify admin (Settings > Apps and sales channels > Develop apps) and generate an Admin API access token with read permissions for products, orders, and customers. 2. Note your store's subdomain (the bit before .myshopify.com) and save the access token somewhere secure. 3. Add the server to your MCP host config with SHOPIFY_ACCESS_TOKEN and SHOPIFY_STORE environment variables pointing to your token and store subdomain. 4. Restart your host and ask Claude to list your latest orders or search for a product by name to verify the connection works. 5. Watch out for scope errors: if Claude can't access certain data, revisit your custom app's API permissions and ensure the token has the right scopes enabled.

Works with

Claude DesktopClaude CodeCursorWindsurfClineZed

Similar MCPs