국토부 부동산 실거래가
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted district code, month, or row-count argument could alter the Python code the skill runs, potentially executing unintended local commands under the user's account.
The shell variables come from positional arguments and are interpolated directly into Python source passed to `python3 -c`, rather than being passed safely through argv/environment or validated as numeric inputs.
LAWD_CD=${1:-11680}
DEAL_YMD=${2:-$(date +%Y%m)}
NUM=${3:-10}
...
'LAWD_CD': '${LAWD_CD}',
'DEAL_YMD': '${DEAL_YMD}',
'numOfRows': '${NUM}'Pass arguments to Python via `sys.argv` or environment variables, validate `LAWD_CD` as 5 digits, `DEAL_YMD` as YYYYMM, and `NUM` as a bounded integer, and avoid constructing executable code with raw user input.
The skill may fail for most users or use a credential file that was not the one the user was instructed to create.
The script reads a local provider API key, which is expected for data.go.kr access, but the path is hard-coded to one home directory instead of the documented `~/.config/data-go-kr/api_key`.
key = open('/home/scott/.config/data-go-kr/api_key').read().strip()Use the current user's home directory, such as `os.path.expanduser('~/.config/data-go-kr/api_key')`, and declare the required credential/config path in metadata.
If those integrations are used, real-estate queries or derived context may be shared with other tools or services.
The skill documents optional cross-skill/provider integrations for law, search, weather/finance context, and notifications, though no implementation for these integrations is included in the provided files.
connectors: [~~realestate, ~~law, ~~search, ~~notify] ... `~~search` | Trend supplement | Brave Search `~~notify` | Alerts | Telegram
Confirm which external skills or services will be invoked before enabling optional enrichment or notification workflows.