kipris-cli
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network or an intermediary proxy could potentially see the KIPRIS API key and confidential search terms, and the key could be used to consume the user's quota.
The provider call is purpose-aligned, but the default uses unencrypted HTTP and places the API key in the URL query string, exposing the key and search terms to network intermediaries.
KIPRIS_BASE="${KIPRIS_BASE:-http://plus.kipris.or.kr/kipo-api/kipi}" ... local url="${KIPRIS_BASE}/${path}${sep}ServiceKey=${key}" ... curl ... "$url"Use an HTTPS KIPRIS base URL if supported, avoid sensitive searches on untrusted networks, and have the publisher default to HTTPS or another credential-safe transport.
Users may not get a clear install-time prompt that this skill needs a quota-bearing API key.
The registry metadata does not declare the KIPRIS credential contract even though the skill requires a KIPRIS_PLUS_KEY in its documentation and code.
Required env vars: none; Env var declarations: none; Primary credential: none; Capability signals: requires-sensitive-credentials
Declare KIPRIS_PLUS_KEY as the required credential/env var, and prefer secret/environment storage over passing keys with --key on the command line.
The skill may not run exactly as documented without an additional wrapper or manual setup.
The examples and docs invoke bin/kipris-cli, but the provided manifest lists subcommand scripts and does not include a bin/kipris-cli dispatcher or an install spec.
CLI="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/bin/kipris-cli"Publisher should include the dispatcher script or update the documentation, and declare runtime dependencies such as bash, curl, and python3.