OpenDART Disclosure
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently queries OpenDART disclosures; it needs an OpenDART API key and writes a small local company-code cache, but the artifacts do not show hidden or unsafe behavior.
This looks safe for its stated purpose. Before using it, be comfortable providing an OpenDART API key and allowing a local company-code cache under ~/.cache/opendart; prefer the environment variable option for the key.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an OpenDART API key; passing it on the command line can expose it through shell history or process listings on some systems.
The skill requires an OpenDART API credential for its intended API access. This is purpose-aligned and disclosed, but users should handle the key carefully.
API key options: - `--api-key <KEY>` - or env var `OPENDART_API_KEY`
Prefer using the OPENDART_API_KEY environment variable or a secret manager rather than pasting the key into shared chats or command history.
Future company-name lookups may use cached data, which can become stale or be affected by local file tampering on a shared machine.
The script persists the downloaded company-code mapping locally and reuses it unless refreshed. The cached data appears to be public company metadata, not credentials.
CORP_CACHE = os.path.expanduser("~/.cache/opendart/corpcode.json")Use the script's --refresh option or delete the cache if company matching looks wrong; keep normal file permissions on the cache directory.