Skillv0.0.1

ClawScan security

test-summary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 10:06 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a CLI wrapper that requires the 'summarize' binary and documents provider API keys and optional services; minor packaging/source signals merit review before installing.
Guidance: This skill is a thin wrapper around a local 'summarize' CLI. Before installing: 1) Verify the brew tap formula (steipete/tap/summarize) on GitHub to ensure the package is from a trusted maintainer. 2) Understand that using the tool will send the content you summarize (URLs, local files, audio, images, YouTube) to whichever LLM provider or fallback services you configure — do not summarize sensitive data unless you trust the destination. 3) The SKILL.md references optional tokens (FIRECRAWL_API_KEY, APIFY_API_TOKEN) used for extraction fallbacks; only provide these if you need those features. 4) Note the metadata ownerId in _meta.json differs from the registry owner ID — this may be a benign packaging mismatch but is worth checking with the publisher. If you trust the brew tap and are comfortable with external transmission of summarized content, the skill appears coherent.

Review Dimensions

Purpose & Capability: okThe skill claims to call a local 'summarize' CLI to summarize URLs/files/YouTube and its declared required binary is exactly that. The documented environment variables (OpenAI/Anthropic/XAI/GEMINI, FIRECRAWL_API_KEY, APIFY_API_TOKEN) are appropriate for a summarization tool that may call LLM providers and optional extraction services.
Instruction Scope: okSKILL.md only instructs how to run the summarize CLI, how to set provider API keys, and mentions an optional config file (~/.summarize/config.json). It does not direct the agent to read unrelated system files or other credentials. Note: the tool will send source content (URLs, PDFs, audio, images, YouTube) to external services/LLM providers — users should assume those contents are transmitted to whichever provider/API keys they configure.
Install Mechanism: noteInstall uses a brew formula: steipete/tap/summarize. Installing via a third-party Homebrew tap is common but slightly higher risk than an official brew/core formula; review the tap/formula source (GitHub) before installing to confirm it is legitimate.
Credentials: okThe skill does not require any environment variables by default. The SKILL.md documents several provider API keys and optional service tokens which are proportionate to the documented features (LLM providers, Firecrawl, Apify). These are optional; only provide keys for services you intend to use.
Persistence & Privilege: okThe skill does not request always-on presence and does not attempt to modify other skills. It may create/use a per-user config file at ~/.summarize/config.json, which is expected for CLI tools.