Korean Gov Programs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: korean-gov-programs Version: 1.0.8 The skill bundle is a web scraper designed to collect Korean government support program data into JSONL files. The `SKILL.md` provides clear, benign instructions for the AI agent and human users, with no evidence of prompt injection attempts. The `scripts/collect.py` and `scripts/stats.sh` files perform web scraping using `urllib.request` and local file operations (reading/writing JSONL and checkpoint files). All network requests are directed to legitimate Korean government domains, and there is no evidence of data exfiltration to unauthorized endpoints, arbitrary command execution, or other malicious behaviors. The use of environment variables is limited to `GOV_SCRAPER_UA` for user-agent customization, which is benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user runs the stats helper on an untrusted, specially named local directory, commands could execute with the user's permissions.
The script derives CHECKPOINT from a user-controlled argument and embeds it directly inside Python source code instead of passing it as argv or safely escaping it. A crafted directory name could break the string literal and potentially inject Python code.
DATA_DIR="${1:-./data}"
CHECKPOINT="$DATA_DIR/.checkpoint.json"
...
python3 -c "
import json
with open('$CHECKPOINT', encoding='utf-8') as f:Use only simple trusted output paths for now. The maintainer should change the checkpoint-reading python3 -c block to pass the path as an argument, e.g. python3 - "$CHECKPOINT", and read sys.argv[1].
The package metadata is inconsistent, so users have less assurance that the installed package, reviewed files, and documented scripts all come from the same expected release.
The registry/SKILL metadata describes version 1.0.8 and author 'raon', while package.json says 1.0.7 with a different author and would publish only SKILL.md despite the skill relying on scripts.
"version": "1.0.7", "author": "Yeomyeonggeori Inc. <iam@dawn.kim>", "files": ["SKILL.md"]
Verify the installed files before use. The publisher should align version/author metadata and include the scripts in package metadata or provide a clear source repository.
Running the collector will contact public government websites and create or append files in the selected output directory.
The skill tells users to run local scripts that fetch data and write JSONL/checkpoint files. This is expected for the stated crawler purpose, but users should understand it performs local file operations and web requests.
python3 scripts/collect.py --output ./data ... **APPEND 전용**: 기존 파일 덮어쓰기 절대 없음 ... .checkpoint.json에 진행 상태 저장
Run it from a trusted checkout and choose a dedicated output directory that does not contain unrelated important files.