ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Summarize Cli

v1.0.0

Automation skill for Summarize Cli.

1· 337·3 current·3 all-time
byzhangzhifeng@164149043
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Summarize CLI) align with the SKILL.md examples which simply run a local 'summarize' binary. However, the registry-level requirements reported no required binaries or install, while the SKILL.md metadata includes a required binary ('summarize') and a brew install entry — this mismatch is an inconsistency.
Instruction Scope
Runtime instructions are limited to calling the 'summarize' CLI on URLs or files with options for length/format/output. The SKILL.md does not instruct reading unrelated files, accessing credentials, or contacting hidden endpoints.
Install Mechanism
No formal install spec was provided in the registry (skill is instruction-only), but SKILL.md metadata suggests installing via a Homebrew tap (steipete/tap/summarize). A third‑party brew tap is a moderate-risk install source compared with official repos; the skill does not include direct download URLs or archive extraction.
Credentials
The skill does not request environment variables, credentials, or config paths. SKILL.md contains no requests for secrets or unrelated environment access.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or elevated agent-wide privileges. It is user-invocable and can be invoked autonomously (platform default).
What to consider before installing
This skill appears to be a thin wrapper around a local 'summarize' CLI and its instructions are narrowly scoped. Before installing or using it: 1) verify the provenance of the 'summarize' binary — the SKILL.md suggests a third‑party Homebrew tap (steipete/tap); confirm the tap and formula are trustworthy before adding it. 2) Be aware the platform registry did not declare the same required binaries/install info found inside SKILL.md — treat that as a metadata inconsistency and prefer explicit, official install instructions. 3) Running the skill will execute a local CLI on files/URLs; avoid running it in environments that expose sensitive files or credentials to the CLI. If you need higher assurance, ask the publisher for an explicit install spec or prefer an official distribution channel for the summarize tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8096jqe4rhmdgbhcb75vz1832v68

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments