kipris-cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its KIPRIS search purpose, but its default API call sends the KIPRIS key and search terms over unencrypted HTTP.
Review before installing. If you use it, provide only a KIPRIS key you are comfortable using for this CLI, prefer an environment variable or secret store over --key, and set KIPRIS_BASE to an HTTPS endpoint if KIPRIS supports it. Also verify that the missing kipris-cli dispatcher or equivalent wrapper is present before relying on the examples.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network or an intermediary proxy could potentially see the KIPRIS API key and confidential search terms, and the key could be used to consume the user's quota.
The provider call is purpose-aligned, but the default uses unencrypted HTTP and places the API key in the URL query string, exposing the key and search terms to network intermediaries.
KIPRIS_BASE="${KIPRIS_BASE:-http://plus.kipris.or.kr/kipo-api/kipi}" ... local url="${KIPRIS_BASE}/${path}${sep}ServiceKey=${key}" ... curl ... "$url"Use an HTTPS KIPRIS base URL if supported, avoid sensitive searches on untrusted networks, and have the publisher default to HTTPS or another credential-safe transport.
Users may not get a clear install-time prompt that this skill needs a quota-bearing API key.
The registry metadata does not declare the KIPRIS credential contract even though the skill requires a KIPRIS_PLUS_KEY in its documentation and code.
Required env vars: none; Env var declarations: none; Primary credential: none; Capability signals: requires-sensitive-credentials
Declare KIPRIS_PLUS_KEY as the required credential/env var, and prefer secret/environment storage over passing keys with --key on the command line.
The skill may not run exactly as documented without an additional wrapper or manual setup.
The examples and docs invoke bin/kipris-cli, but the provided manifest lists subcommand scripts and does not include a bin/kipris-cli dispatcher or an install spec.
CLI="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/bin/kipris-cli"Publisher should include the dispatcher script or update the documentation, and declare runtime dependencies such as bash, curl, and python3.