ClawHub

Kagi Summarizer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to summarize through Kagi as claimed, but its wrapper can download and run an unverified GitHub release binary, so it needs user review before installation.

Install only if you trust both Kagi with the content you summarize and the publisher's GitHub release binaries. Prefer building from the included Go source; if you use a prebuilt binary, verify its checksum or signature yourself before running it. Avoid submitting secrets, internal documents, or regulated data unless Kagi processing is approved for that content, and monitor API-key usage and billing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires shell execution and access to the KAGI_API_KEY environment variable, but those capabilities are not explicitly declared. This weakens the trust model because users and platforms cannot easily see that the skill can execute commands and access secrets before installation or use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a summarizer, but the installation flow also fetches release metadata from GitHub, downloads an executable, and may compile code locally. That hidden operational behavior materially expands the attack surface because users may believe they are only invoking a remote API when they are also running third-party code obtained at install or first run.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The wrapper does more than invoke a local summarization tool: it conditionally compiles Go code and, if that fails, fetches release metadata and installs a remote executable. That bootstrap behavior expands the trust boundary and introduces software supply chain risk that is not inherent to the stated summarization purpose, especially because the downloaded binary is executed immediately after installation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script downloads an executable from GitHub releases and marks it executable before running it, but performs no cryptographic verification beyond HTTPS and an API-derived tag. If the upstream release, repository, network trust chain, or tag resolution is compromised, users could execute attacker-controlled code on their system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not prominently warn that user-supplied URLs or raw text are transmitted to Kagi's external API for summarization. This is a real privacy and data-handling issue because users may submit sensitive documents, transcripts, or internal URLs under the mistaken assumption that processing is local.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool sends user-supplied URLs or raw text, which may contain sensitive or proprietary data, to Kagi's external summarization API. While this is core to the skill's intended functionality rather than overtly malicious behavior, the code provides no explicit warning, consent prompt, redaction support, or guardrails to help users avoid transmitting confidential data off-host.

External Transmission

Medium
Category
Data Exfiltration
Content
aarch64|arm64) ARCH="arm64" ;;
esac

TAG=$(curl -fsSL "https://api.github.com/repos/joelazar/kagi-skills/releases/latest" | grep '"tag_name"' | cut -d'"' -f4)
BINARY="kagi-summarizer_${TAG}_${OS}_${ARCH}"

mkdir -p {baseDir}/.bin
Confidence
88% confidence
Finding
https://api.github.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal