Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
summarizenew
v2.0.0Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the runtime instructions: it delegates work to a 'summarize' CLI and documents how to call it. Requiring/declaring the 'summarize' binary and providing a brew install for steipete/tap/summarize is consistent with the described purpose. However, registry metadata (owner/slug/version) does not match the included _meta.json (different ownerId, slug 'summarize', and version 1.0.0), which is an incoherence in packaging/metadata.
Instruction Scope
SKILL.md simply instructs the agent to call the external summarize CLI on URLs/files and documents optional config (~/.summarize/config.json) and provider API keys. It does not instruct the agent to read unrelated system files, exfiltrate arbitrary local data, or call unexpected endpoints beyond the LLM and optional crawler services described.
Install Mechanism
Install is a Homebrew formula: steipete/tap/summarize. Homebrew taps are a common installation mechanism but this is a third‑party tap rather than an official core formula; that increases risk relative to 'no install spec' but is lower risk than an arbitrary download URL. Users should review the formula/source to confirm what the installed binary does.
Credentials
SKILL.md documents multiple optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN). These align with a summarization tool that can use multiple providers and optional crawler fallbacks, so the keys are proportionate to the stated functionality—but they are sensitive credentials. The registry metadata lists no required env vars, which matches SKILL.md making them optional. Users should avoid supplying keys unless they trust the binary.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable/autonomous invocation is default. There is no evidence it attempts to modify other skills or system-wide agent settings. It references an optional per-user config file (~/.summarize/config.json), which is expected behavior for a CLI.
What to consider before installing
This skill appears to be a thin adapter around an external 'summarize' CLI and is mostly coherent with that purpose, but take these precautions before installing or providing API keys:
- Verify the Homebrew formula source: inspect steipete/tap/summarize on the tap's repo to confirm what the install writes and whether the binary is built from a trustworthy source.
- Check the binary behavior in a sandbox/container before running it on sensitive hosts (network traffic, endpoints contacted, and any telemetry it emits).
- Only provide API keys (OpenAI, Anthropic, XAI, GEMINI, FIRECRAWL, APIFY) if you trust the source; keys permit the binary to make requests to third‑party LLM/crawler services and could incur cost or leak input.
- Investigate the packaging metadata mismatch (registry metadata vs. included _meta.json). Ask the publisher to confirm the correct owner/slug/version if provenance matters.
- Prefer official or well-known distributions when possible; if unsure, run the summarize binary locally in a restricted environment and review network calls (e.g., with a proxy) before using with real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97cqwqhw4sz4b87hs0prmnh6d83hjem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧾 Clawdis
Binssummarize
Install
Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize