firmenbuchat

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent CLI skill for Austrian company-register access, with the main user considerations being API-key handling and trust in the externally installed CLI.

Before installing, confirm that you trust the pasogott Homebrew tap or GitHub package. Configure the Firmenbuch API key carefully, avoid exposing it in shell history or shared files, and run document download commands only when you intend to save those records locally.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

The agent or user can make Firmenbuch service requests using the user's API key, which may affect account access, usage limits, or billing depending on the provider.

Why it was flagged

The skill expects use of a Firmenbuch service API key via config, environment variable, .env file, or direct CLI argument. This is expected for the service, but it gives the CLI access under the user's credential.

Skill content

Setup (API-Key)
- `firmenbuchat config set-key`
- `export FIRMENBUCH_API_KEY="dein-key"`
... `-k, --api-key`: API-Key direkt übergeben

Recommendation

Use a dedicated API key if available, avoid passing secrets directly on the command line when possible, and remove the key with the documented config delete command when no longer needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill means trusting the external firmenbuchat package source to provide the binary the skill will invoke.

Why it was flagged

Installation depends on an external Homebrew tap or GitHub package rather than code included in the skill artifact. This is typical for a CLI wrapper, but it is a supply-chain trust point.

Skill content

"install":[{"id":"brew","kind":"brew","formula":"pasogott/tap/firmenbuchat"...},{"id":"uv","kind":"shell","command":"uv add git+https://github.com/pasogott/firmenbuch-aip.git"...}]

Recommendation

Install only if you trust the referenced Homebrew tap/GitHub project, and prefer pinned or reviewed releases where available.

Info

#ASI02: Tool Misuse and Exploitation

What this means

The skill can create local downloaded document files when asked to do so.

Why it was flagged

The CLI can download company-register documents and write them to a user-specified output path. This is directly aligned with the stated purpose and user-directed.

Skill content

Download: `firmenbuchat urkunde download <URKUNDEN_KEY> [--output PATH]`

Recommendation

Choose output paths intentionally and review downloaded files before sharing them.