ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MIJ Kakao Local API (PowerShell)

v1.0.0

PowerShell skill for calling Kakao Local API to normalize addresses and search places with keyword, location, radius, and category filters.

0· 659·1 current·1 all-time
by@muninjun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and included PowerShell script implement Kakao Local address normalization and place search and legitimately require a Kakao REST API key and access to a local data directory. However the registry metadata claims no required environment variables or primary credential — that is inconsistent with the actual runtime behavior (the script explicitly reads KAKAO_REST_API_KEY from User/Process env or a config.json).
Instruction Scope
The instructions and script stay within the stated purpose: they call only Kakao API endpoints, use curl.exe, parse responses, and read/write files under the skill's data directory (places.json, cache.json, data/config.json). The script reads environment variables (User, Process, and process env) and reads/writes files under skills/kakao-local/data; these actions are expected for a local client but should be noted (it does not attempt to read system-wide secrets or other unrelated paths).
Install Mechanism
This is an instruction-only skill with no install spec and no external downloads. No code is installed by an automated installer beyond running the included PowerShell script, which is lower risk in the installer dimension.
!
Credentials
The script requires a Kakao REST API key (KAKAO_REST_API_KEY) via environment variable or config.json, which is proportional to the functionality. The concern is that the skill registry metadata did not declare this required env var or primary credential, creating an information mismatch that could lead users to overlook storing/protecting the key appropriately.
Persistence & Privilege
The skill does not request elevated platform privileges, does not set always:true, and only writes to its own skill data directory. Persisting data (places.json, cache.json, config.json) in the skill folder is normal for this type of skill.
What to consider before installing
This skill implements a Kakao Local API client in PowerShell and requires a Kakao REST API key, but the package metadata omits that requirement — treat that as a red flag. Before installing: (1) verify you obtain and store a Kakao REST API key with appropriate scope and rotate/revoke it if compromised; (2) prefer setting the key as a User-scoped environment variable rather than committing a config.json into source control (the SKILL.md also warns to add config.json to .gitignore); (3) review and control files under skills/kakao-local/data (places.json, cache.json) because they may contain saved locations or query history; (4) run the script in a constrained/test environment (or with a limited account) first to confirm behavior; and (5) ask the publisher to update registry metadata to declare KAKAO_REST_API_KEY as a required credential so automated gating and audits can catch it.

Like a lobster shell, security has layers — review code before you run it.

kakao-localvk97bntg29ffakh26e5v5999v7d8128adlatestvk97bntg29ffakh26e5v5999v7d8128ad

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments