kipris-cli
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: kipris-cli Version: 0.1.0 The kipris-cli skill bundle is a legitimate tool for searching the Korean Intellectual Property Rights Information Service (KIPRIS). It provides shell wrappers and Python utilities to query the official KIPRIS Plus OpenAPI and convert XML responses into JSONL. The code uses standard practices for input sanitization (via urlencode) and does not exhibit any signs of data exfiltration, malicious execution, or prompt injection. All network requests are directed to the official domain (plus.kipris.or.kr).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network or an intermediary proxy could potentially see the KIPRIS API key and confidential search terms, and the key could be used to consume the user's quota.
The provider call is purpose-aligned, but the default uses unencrypted HTTP and places the API key in the URL query string, exposing the key and search terms to network intermediaries.
KIPRIS_BASE="${KIPRIS_BASE:-http://plus.kipris.or.kr/kipo-api/kipi}" ... local url="${KIPRIS_BASE}/${path}${sep}ServiceKey=${key}" ... curl ... "$url"Use an HTTPS KIPRIS base URL if supported, avoid sensitive searches on untrusted networks, and have the publisher default to HTTPS or another credential-safe transport.
Users may not get a clear install-time prompt that this skill needs a quota-bearing API key.
The registry metadata does not declare the KIPRIS credential contract even though the skill requires a KIPRIS_PLUS_KEY in its documentation and code.
Required env vars: none; Env var declarations: none; Primary credential: none; Capability signals: requires-sensitive-credentials
Declare KIPRIS_PLUS_KEY as the required credential/env var, and prefer secret/environment storage over passing keys with --key on the command line.
The skill may not run exactly as documented without an additional wrapper or manual setup.
The examples and docs invoke bin/kipris-cli, but the provided manifest lists subcommand scripts and does not include a bin/kipris-cli dispatcher or an install spec.
CLI="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/bin/kipris-cli"Publisher should include the dispatcher script or update the documentation, and declare runtime dependencies such as bash, curl, and python3.