Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kagi Summarizer
v1.0.0Summarize any URL or text using Kagi's Universal Summarizer API. Supports multiple engines (including the enterprise-grade Muriel model), bullet-point takeaw...
⭐ 0· 539·0 current·0 all-time
byJozsef Lazar@joelazar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name, SKILL.md, and main.go consistently implement a Kagi Universal Summarizer that calls https://kagi.com/api/v0/summarize — that matches the stated purpose. However, the registry metadata lists no required environment variables or primary credential, while both SKILL.md and main.go require KAGI_API_KEY. The omission in metadata is an incoherence that could mislead users about what secrets the skill needs.
Instruction Scope
SKILL.md and the shell wrapper and Go binary keep scope limited to summarization via the Kagi API. The wrapper will build from source with Go or download a GitHub release and writes a binary to {baseDir}/.bin; it also prompts the user interactively before downloading. The code does not read other system files or extra environment variables. The interactive prompt (read from /dev/tty) and the fallback download behavior could be surprising in automated contexts and should be noted.
Install Mechanism
The install script uses GitHub Releases (https://github.com/joelazar/kagi-skills/releases) for pre-built binaries and attempts to verify checksums via checksums.txt and sha256sum (recommended). Using GitHub releases is reasonable, but downloading and executing a remote binary is higher risk than a purely source build — users should verify the checksum and trust the release author. The script also attempts to build from local Go if available.
Credentials
At runtime the program requires a single KAGI_API_KEY environment variable (proportionate to calling Kagi's API). The problem is the registry metadata does not declare this required credential; SKILL.md does. The discrepancy between declared requirements and actual runtime requirements is a meaningful red flag: the skill WILL need your Kagi API key even though the registry metadata says none.
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and only writes a binary into its own baseDir/.bin. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but is not combined with other high-risk features here.
What to consider before installing
Do not install blindly. The included code and SKILL.md require your KAGI_API_KEY even though the registry metadata omits that — confirm you are willing to provide that API key. If you proceed: 1) Prefer building from source with a trusted Go toolchain rather than running a downloaded binary; 2) If using the pre-built binary, verify the release tag and the checksum (checksums.txt + sha256sum) come from the official GitHub repo and match; 3) Be aware the wrapper may prompt interactively for download and will place the binary under {baseDir}/.bin; 4) Review network behavior — the binary will POST your text/URL and Authorization header to https://kagi.com/api/v0/summarize; only use it if you trust Kagi and the repository owner; 5) Ask the publisher/registry to fix the metadata to declare KAGI_API_KEY as a required credential so the requirement is visible before installation.Like a lobster shell, security has layers — review code before you run it.
latestvk978jpekjtp9h6g80kz2h81gv581jnfv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.