Summarize All
Security checks across malware telemetry and agentic risk
Overview
This is a coherent summarization tool, but it does use an API key, sends summarized content to a configured AI endpoint, and stores local history/cache data.
Before installing, decide whether you trust the AI endpoint you will configure, use a limited API key if possible, and be aware that summarized content may be sent to that endpoint and retained locally in cache/history files. Use optional server, webhook, batch, and monitoring modes only when you understand where data will go.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill will need to provide an API key, which may incur provider usage costs and should be protected like a password.
The skill requires the user to configure an API key for an OpenAI-compatible endpoint. This is expected for an LLM summarizer and is disclosed, but it gives the tool delegated access to the user's provider account.
summarize-all config set key <api_key>
Use a dedicated, least-privileged API key if available, set spending limits with the provider, and remove or rotate the key if you stop using the skill.
Summaries, source references, tags, or keywords may remain on the local machine after use.
The script stores configuration, history, cache, tags, and keywords in persistent local files. This supports the advertised cache, search, tags, and keyword features, but the stored data can reflect private content or URLs.
CONFIG_DIR = pathlib.Path.home() / ".config" / "summarize-all" ... HISTORY_FILE ... CACHE_FILE ... TAGS_FILE ... KEYWORDS_FILE
Avoid summarizing highly sensitive material unless local history/cache retention is acceptable; periodically clear the tool's config/history/cache files if needed.
Private web pages, documents, images, audio transcripts, or pasted text may be processed by the endpoint the user configures.
The skill clearly discloses that summarized content is transmitted to the configured AI endpoint. This is central to the tool's purpose, but it is a sensitive data flow.
⚠️ Content you summarize will be sent to your configured API endpoint.
Only configure trusted endpoints and models that meet your privacy requirements, especially for confidential or regulated content.
If enabled, results could be made available through a local HTTP service or sent to a webhook URL.
The skill documents optional API server and webhook features. These are purpose-adjacent automation features, but they can expose or forward summary results outside the immediate CLI session if the user enables them.
| 🌐 **API Server** | HTTP API server | ... | 📡 **Webhooks** | Push results to specified URL |
Use server and webhook modes only with trusted destinations and clear access controls; avoid exposing the server on untrusted networks.
Monitoring mode may repeatedly fetch or process configured URLs until stopped.
The skill supports user-requested URL monitoring at an interval. This is disclosed and user-controlled, but it is a recurring activity that may continue beyond a single summarization request.
summarize-all monitor add "https://news.com" 60
Only add URLs you intend to monitor, review the monitor list, and remove monitors when they are no longer needed.
It may be harder to confirm exactly which release or feature set is being installed.
The registry metadata reports version 3.0.6, while _meta.json reports 3.0.2 and the script banner references v2.5. This does not show malicious behavior, but it is a provenance/versioning inconsistency users may want to verify.
"version": "3.0.2"
Verify the package source and expected version before relying on it for sensitive workflows.