Skillv0.1.0

ClawScan security

G2b Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 12:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The scripts appear to implement exactly the advertised g2b OpenAPI wrapper, but the skill metadata omits the required secret (G2B_SERVICE_KEY) and there are a few small scope/configuration risks to be aware of.
Guidance: This skill's code matches its description: it wraps Korea's public g2b OpenAPI and requires a data.go.kr service key. Before installing, note these points: - The registry metadata omits the required G2B_SERVICE_KEY; you will need to export that secret for the scripts to work. Treat it like any API secret — use a dev key or limited-scope key, not a wide-privilege production key unless necessary. - The scripts default to legitimate apis.data.go.kr endpoints but allow overriding base URLs via G2B_BID_BASE / G2B_CNTRCT_BASE / G2B_STD_BASE. Do not point those to untrusted hosts (an attacker-controlled URL could capture your service key). - The repository includes all script sources (bash). If you plan to run them, inspect scripts (they are short and readable) and ensure curl/jq are installed. Consider running in a restricted environment or container if you're unsure. - The examples optionally call other CLIs (nts-bizno-cli) which may require their own keys; those are not required by g2b-cli but read the example code before enabling. Overall the package appears coherent and functional, but the metadata omission about required env vars is an avoidable inconsistency — treat this as a red flag to verify keys and endpoints before use.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md match the description: they call data.go.kr g2b APIs and return JSONL for bid/contract/standard feeds. The single required secret (a data.go.kr service key) is exactly what this purpose needs. However, the package metadata declared no required env vars/credentials while the runtime instructions and scripts require G2B_SERVICE_KEY — an inconsistency between declared requirements and actual behavior.
Instruction Scope: okRuntime instructions and scripts stay on-purpose: they require curl/jq, call the configured g2b endpoints, emit JSONL, and use temporary files. The examples optionally invoke other CLIs (nts-bizno-cli) but only as an integration convenience. The scripts do not read or exfiltrate unrelated system files or secrets. One note: the scripts allow overriding the base URLs via env vars (G2B_*_BASE), which can redirect requests to arbitrary endpoints if misconfigured.
Install Mechanism: okThis is instruction-only / script-based: no install spec or remote downloads. All code is included in the repo (shell scripts). No binary installs or archive downloads were observed.
Credentials: concernThe scripts require a sensitive G2B_SERVICE_KEY to operate (documented in SKILL.md and enforced by require_key), but the registry metadata lists no required env vars or primary credential — that's a mismatch and could mislead users about what secrets are needed. The examples also reference an optional NTS_BIZNO_SERVICE_KEY for an auxiliary integration. Aside from those service keys, no unrelated credentials or high-privilege env access is requested.
Persistence & Privilege: okThe skill does not request always:true, does not persist or modify other skills, and does not require elevated system privileges. Autonomous invocation (disable-model-invocation=false) is the platform default and not by itself concerning here.