MH summarize

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward helper for summarizing links, videos, and files, with privacy considerations because content may be processed by external services.

Install only if you trust the Homebrew tap and the summarize CLI. Avoid using it on confidential files, private URLs, or sensitive transcripts unless you are comfortable with the configured AI provider and optional Firecrawl or Apify services receiving that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match common requests like asking what a link or video is about, which can cause the skill to activate opportunistically in situations the user did not explicitly intend. Because this skill can process URLs and local files and may send content to third-party summarization services, over-triggering increases the chance of unintended data disclosure or unexpected external access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documentation does not warn that URLs, transcripts, and especially local file contents may be transmitted to external model providers or fallback services such as Google, OpenAI, Firecrawl, or Apify. Users may reasonably assume local processing, so the lack of notice creates a meaningful privacy and confidentiality risk if sensitive documents or restricted URLs are summarized.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal