Back to skill
Skillv0.1.0
ClawScan security
Airkorea Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 12:14 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to implement exactly what its README/SKILL.md describe (AirKorea API wrappers) but the package metadata omits required environment variables and binaries and there are a few small operational risks you should understand before installing.
- Guidance
- This package appears to be a straightforward AirKorea (data.go.kr) CLI implemented as bash scripts — that matches the README/SKILL.md. However the registry metadata omitted required runtime pieces: you must export AIRKOREA_SERVICE_KEY (the API decoding key) and have curl and jq available. Before installing or running: 1) Verify the publisher/source (no homepage/origin listed here). 2) Keep your AIRKOREA_SERVICE_KEY secret and do not commit it to VCS — note the scripts send it in the URL query string, which can be exposed in logs or proxies. 3) Do not set ARPLTN_BASE or MSRSTN_BASE to untrusted endpoints (they can redirect requests). 4) Ask the publisher to update the package metadata to declare AIRKOREA_SERVICE_KEY as a required credential and to list required binaries (curl, jq). If you cannot verify the source, inspect the scripts locally before execution; otherwise the functional behavior is coherent with the stated purpose.
Review Dimensions
- Purpose & Capability
- concernName/description match the code: the scripts call data.go.kr's AirKorea endpoints and return JSONL. However the registry metadata declares no required env vars or binaries, while the scripts clearly require AIRKOREA_SERVICE_KEY (and optionally ARPLTN_BASE/MSRSTN_BASE) and the binaries curl and jq. The missing declarations are an incoherence between what the skill claims to need and what it actually uses.
- Instruction Scope
- noteSKILL.md and the scripts restrict behavior to calling apis.data.go.kr endpoints and emitting JSONL. The runtime instructions require you to export AIRKOREA_SERVICE_KEY and to have curl and jq. The scripts do not read other system secrets or contact any endpoints outside the (configurable) ARPLTN_BASE/MSRSTN_BASE. One operational note: the scripts place the API key into the query string (serviceKey param), which can expose the key in logs or proxies.
- Install Mechanism
- noteThere is no install spec (no network downloads or installers); code is delivered as shell scripts included in the bundle. That is low-risk compared to remote downloads, but the registry should have declared required binaries and env vars. Because this is a code-bundle (scripts), running them will execute bash code on your machine — review before running.
- Credentials
- concernThe only secret the code needs is AIRKOREA_SERVICE_KEY, which is proportionate to the purpose. But the registry metadata lists no required env vars or primary credential: that's a mismatch. Additionally, the optional ARPLTN_BASE / MSRSTN_BASE env vars let a user override endpoints; if those are set to untrusted domains they would redirect queries (including the service key if set) away from data.go.kr, so be cautious about environment values.
- Persistence & Privilege
- okThe skill does not request permanent/always-on inclusion, does not modify other skills or system-wide configuration, and does not store credentials for itself. There is no elevated persistence requested.