Mfds Cli
PassAudited by ClawScan on May 6, 2026.
Overview
This looks like a normal MFDS public-data lookup tool, but users should protect the API key and only use the custom-endpoint option with trusted data.go.kr URLs.
Install only if you are comfortable providing a data.go.kr MFDS API key. Prefer the built-in MFDS endpoints, verify any missing bin/mfds-cli launcher before running it, and treat full request URLs as sensitive because they may contain the service key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is exposed, someone else could use the user's data.go.kr quota or registered API access.
The skill needs a service credential to call the public MFDS APIs. This is expected for the stated purpose, but users should still treat the key as a credential, especially because registry requirements list no required env vars.
Requires a free MFDS_API_KEY from data.go.kr.
Use a dedicated data.go.kr key, store it in an environment variable, and avoid pasting it into prompts or sharing logs that contain full request URLs.
A mistaken or malicious endpoint value could send the API key and search terms to an unintended server.
The command supports a full endpoint override while including the API key in the query string. This is disclosed and useful for MFDS endpoint changes, but a non-MFDS URL would receive the key and query parameters.
--endpoint <url> override the default endpoint ... URL="${ENDPOINT:-https://apis.data.go.kr/1471000/DrugPrdtPrmsnInfoService06/getDrugPrdtPrmsnDtlInq05}" ... "serviceKey=$KEY"Use the default endpoints whenever possible; only override with trusted MFDS/data.go.kr URLs and do not let untrusted content supply --endpoint.
The documented commands or examples may fail, and users might be tempted to fetch an unreviewed replacement script from elsewhere.
The documentation references a bin/mfds-cli dispatcher, but the supplied manifest/file contents do not include that file. This looks like an incomplete package or documentation mismatch rather than malicious behavior.
chmod +x mfds-cli/bin/*.sh mfds-cli/bin/mfds-cli
Verify the package contents before use and only run any missing dispatcher script if it comes from a trusted, reviewed source.