Mfds Cli
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: mfds-cli Version: 0.1.0 The mfds-cli skill is a legitimate tool for interacting with the Korean Ministry of Food and Drug Safety (MFDS) public APIs. The code consists of bash wrappers and a Python normalization script that fetch drug-related data from apis.data.go.kr and convert it to JSONL format. No evidence of malicious intent, data exfiltration, or prompt injection was found; the scripts handle API keys via environment variables or flags as described, and the use of subprocesses in examples is limited to chaining internal CLI commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is exposed, someone else could use the user's data.go.kr quota or registered API access.
The skill needs a service credential to call the public MFDS APIs. This is expected for the stated purpose, but users should still treat the key as a credential, especially because registry requirements list no required env vars.
Requires a free MFDS_API_KEY from data.go.kr.
Use a dedicated data.go.kr key, store it in an environment variable, and avoid pasting it into prompts or sharing logs that contain full request URLs.
A mistaken or malicious endpoint value could send the API key and search terms to an unintended server.
The command supports a full endpoint override while including the API key in the query string. This is disclosed and useful for MFDS endpoint changes, but a non-MFDS URL would receive the key and query parameters.
--endpoint <url> override the default endpoint ... URL="${ENDPOINT:-https://apis.data.go.kr/1471000/DrugPrdtPrmsnInfoService06/getDrugPrdtPrmsnDtlInq05}" ... "serviceKey=$KEY"Use the default endpoints whenever possible; only override with trusted MFDS/data.go.kr URLs and do not let untrusted content supply --endpoint.
The documented commands or examples may fail, and users might be tempted to fetch an unreviewed replacement script from elsewhere.
The documentation references a bin/mfds-cli dispatcher, but the supplied manifest/file contents do not include that file. This looks like an incomplete package or documentation mismatch rather than malicious behavior.
chmod +x mfds-cli/bin/*.sh mfds-cli/bin/mfds-cli
Verify the package contents before use and only run any missing dispatcher script if it comes from a trusted, reviewed source.