I just gave AI agents write access to Shopify stores. Here's everything standing between them and disaster.
Last week, a developer shipped an MCP server that gives AI agents write access to live Shopify stores. The agent can create discount codes, build customer segments, and draft WhatsApp campaigns against real order data. While read-only agent integrations are common, the author argues they are just "chatbots wearing a dashboard." The useful version is the one that takes action, but that same capability introduces risk: a hallucinated SELECT returns a wrong answer, while a hallucinated discount code gives away free product. Before enabling writes, the author enumerated every way an agent could harm a store and built one guardrail per failure mode. The key design decision is that every agent token starts read-only—able to list customers, inspect segments, and read campaign stats. Write capability is a separate flag that the merchant must explicitly enable per token. The token structure includes scopes (defaulting to "read") and a writeEnabled flag (defaulting to false). This approach generalizes to any agent surface that touches business data.
Developers must design agent tokens with least privilege to prevent catastrophic write operations from hallucinations.