G2b Cli
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent, read-only procurement-data CLI, with setup and key-handling notes rather than suspicious behavior.
Reasonable to install if you want a read-only G2B/data.go.kr procurement CLI. Before using it, install curl and jq, set G2B_SERVICE_KEY yourself, keep any G2B_*_BASE overrides pointed at trusted endpoints, and treat the example pipelines as optional workflows that may involve other services.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installation or first use may fail until the user manually installs dependencies and configures the API key, and the package has limited external provenance information.
The supplied registry/install metadata under-declares setup requirements even though the included scripts require local tools and an API key. This is a disclosure/setup completeness issue, not evidence of malicious behavior.
Source: unknown; Homepage: none ... Required binaries (all must exist): none ... Required env vars: none ... No install spec — this is an instruction-only skill.
Declare curl, jq, bash, and G2B_SERVICE_KEY in metadata or installation docs, and review the included shell scripts before use because no homepage/source repository is provided.
The API key is required for normal operation and is sent to the configured endpoint; if a user sets a custom G2B_*_BASE value, that endpoint would receive the key.
The CLI needs a data.go.kr service key and sends it as the serviceKey query parameter to the configured API base, which is expected for this provider integration.
enc_key=$(printf '%s' "$G2B_SERVICE_KEY" | jq -sRr '@uri') ... qs="serviceKey=${enc_key}&type=json" ... curl ... "${base}/${path}?${qs}"Keep the data.go.kr key private, avoid running on untrusted shared machines, and only use the G2B_*_BASE override variables with endpoints you trust.
If the example is run, awardee business-registration numbers from procurement records are passed to the nts-bizno-cli workflow and its configured provider.
The optional example chains G2B awardee records into another local skill/API wrapper for business-status checks. This is disclosed and purpose-aligned, but it expands the data flow beyond this skill.
Requires both g2b-cli and nts-bizno-cli installed ... "$NTS_BIZNO" --b-no "$brn"
Run the KYB example only when you intend that second-hop lookup, trust the downstream skill, and review results before publishing or forwarding them.