Skillv1.0.1

ClawScan security

Welfare Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 2:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (Korean welfare/benefits lookup) is coherent with its instructions to use data.go.kr APIs, but there are a few mismatches and privacy/operational concerns you should understand before installing.
Guidance: This skill appears to do what it says (tailored welfare/benefit lookup) but take these precautions before installing or using it: - Privacy: The skill will ask for personal details (age, household, income, disability, region) to provide tailored results. Avoid entering full identifiers (resident registration numbers, full addresses) and consider anonymizing sensitive values where possible. - API key handling: The setup instructs you to save a data.go.kr API key to ~/.config/data-go-kr/api_key in plaintext. Prefer storing keys in a secure secret manager or at least restrict file permissions (chmod 600). Do not paste credentials into chat messages. - Missing scripts: The playbook references bash scripts to call the APIs, but only a README is included — the actual scripts are not present. Before running anything, review or implement the scripts yourself to ensure they do exactly what you expect and do not exfiltrate data. - Web search fallback: If the APIs are not configured, the skill falls back to web_search. Be mindful that search queries may be logged by the search provider — avoid including sensitive personal data in those queries. - Verify scope: If you plan to supply an API key, confirm the data.go.kr service agreement and what data the APIs return; ensure the key has only the necessary permissions and monitor usage/quota. If you want to proceed: obtain a data.go.kr key, implement/review the missing scripts locally, store the key securely, and limit the personal data you supply in conversations. If you need, I can list exact checks to perform on any scripts before running them.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the skill queries public Korean government APIs (data.go.kr IDs provided) and falls back to web search. No unrelated credentials or unrelated binaries are requested.
Instruction Scope: concernThe SKILL.md and playbook direct collection of potentially sensitive personal data (age, household composition, income level, disability status, region) which is necessary for tailored benefit lookup but carries privacy risk. The docs instruct storing an API key at ~/.config/data-go-kr/api_key and running shell scripts (bash skills/welfare-guide/scripts/*.sh) to call APIs; however, those scripts are not included (only a README exists). The fallback 'web_search' behavior means queries could be sent to external search endpoints — avoid embedding full personal identifiers in queries.
Install Mechanism: okInstruction-only skill with no install spec or binaries reduces risk. No downloads or package installs are requested. Minor operational inconsistency: the playbook references runnable scripts but only scripts/README.md is present (actual scripts are missing).
Credentials: noteThe skill does not require environment variables or external credentials besides the public data.go.kr API key, which is proportional to the purpose. It recommends storing the key in plaintext at ~/.config/data-go-kr/api_key — functional but a weaker secret-handling pattern; using a secure secret store or agent-managed secret is preferable.
Persistence & Privilege: okSkill is not 'always' enabled and uses default autonomous invocation settings. It does not request system-wide config paths or other skills' credentials.