get-tldr
PassAudited by ClawScan on May 1, 2026.
Overview
The skill does what it says by sending a user-provided URL to the get-tldr API, but users should know it needs an API key and keeps a local log of URLs and responses.
This skill appears coherent and purpose-aligned. Before installing, be comfortable sending the target URL to get-tldr.com, protect the API key used by the script, and decide whether the default local log of URLs and summaries is acceptable for your privacy needs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your get-tldr API key authorizes requests made by the skill.
The skill reads a local API token and sends it as the X-API-Key header to the stated get-tldr API. This is expected for the service, but it is credential use that users should notice.
API_KEY = cfg.get("api_token") ... headers = {"Content-Type": "application/json", "X-API-Key": API_KEY}Use a get-tldr-specific key, keep the config or .env file private, and rotate the key if it is exposed.
Someone with access to the log file could see the URLs you summarized and the returned summaries.
The script persists the submitted URL and full API response to a local logfile. This is disclosed, but URLs and summaries can contain private information.
LOGFILE = os.path.expanduser("~/.config/get-tldr/skill.log") ... lf.write(json.dumps({"timestamp": ..., "sent": sent_payload, "response": result}Store the logfile in a private location, review file permissions, and delete the log when it is no longer needed.
Installing dependencies from an untrusted package source could affect the local Python environment.
The script relies on the external requests package and suggests a manual, unpinned pip install if it is absent. The artifact does not auto-install it, so this is a setup/provenance note rather than suspicious behavior.
print(json.dumps({"error": "requests library required. Install with: pip install requests"}))Install requests from a trusted package manager or in a virtual environment, and avoid running unreviewed install commands.