한국 법령/판례 검색

This skill appears to be what it says (a Korean law/case search), but it has several concrete issues you should address before enabling it for routine use: 1) Declaration mismatch: The skill metadata declares no required credentials/config paths, yet the scripts read ~/.config/data-go-kr/api_key (and the docs mention ~/.config/law-go-kr/credentials.json). Ask the author to update the metadata to list required config paths or remove undeclared file access. Only provide the specific API key the skill actually needs (preferably a limited-scope key). 2) Network security: The scripts call data.go.kr over plain HTTP and include the API key in the URL. This exposes your key on the network. Require HTTPS endpoints (or confirm the official API supports HTTPS) before using real keys. 3) Shell injection risk: The scripts build python -c commands that interpolate unescaped user input ($QUERY). If the skill runs these scripts with input derived from user queries, a specially crafted query could trigger shell substitution. Recommend the author rewrite encoding routines to avoid shell interpolation (for example, pass query strings as arguments or use printf %q, or use a safe wrapper in Python that reads from stdin/argv). 4) Credential scope and origin: SKILL.md claims law.go.kr is the primary API but the scripts only use data.go.kr. Clarify which API is primary and remove unused credential steps—or implement law.go.kr support if intended. 5) Operational precautions: Until the above are fixed, run the skill in a restricted environment (sandbox/container), do not supply high-privilege credentials, and review the scripts locally. If you must use it now, create a throwaway or limited-scope API key at data.go.kr and monitor its usage. If the author provides updated metadata (declared config paths), switches to HTTPS, and fixes argument quoting/escaping, the incoherence and immediate security concerns would be addressed.