ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

20206 02 10 Clawhub Summarize 1.0.0

Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 860 · 2 current installs · 2 all-time installs
by@pin-alt
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the requested binary and usage: the skill is an instruction-only wrapper that requires the 'summarize' CLI. The referenced provider API keys and optional config path (~/.summarize/config.json) are coherent with a summarization tool. Note: _meta.json ownerId differs from the registry ownerId, which is an inconsistency in metadata worth verifying, and the install uses a third-party Homebrew tap (steipete/tap) rather than homebrew-core or a direct official release.
Instruction Scope
SKILL.md limits actions to invoking the summarize CLI on URLs/files and instructs which environment variables to set for different LLM providers. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints beyond the documented provider services and optional Apify/Firecrawl services.
Install Mechanism
Install is via a Homebrew formula (steipete/tap/summarize) which is a reasonable, common mechanism. Because it's from a third‑party tap rather than the official homebrew-core, verify the tap/formula source (and that it corresponds to the summarize.sh project) before installing; third-party taps carry more supply-chain risk than official taps.
Credentials
SKILL.md references multiple provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, plus optional FIRECRAWL_API_KEY and APIFY_API_TOKEN). These are proportional and expected for a CLI that calls external LLMs and fallback web-extraction services. The skill does not declare required env vars up front, which is acceptable because keys are optional and provider-dependent, but you should only supply keys for providers you intend to use.
Persistence & Privilege
always is false and there are no instructions to modify other skills or system-wide agent settings. The skill references an optional per-user config file (~/.summarize/config.json) which is normal for a CLI tool.
Assessment
This skill is an instruction wrapper around the 'summarize' CLI and appears coherent with that purpose. Before installing: (1) verify the Homebrew tap/formula source (steipete/tap) matches the project at the homepage (https://summarize.sh) or an official repository; (2) review the brew formula or upstream release to ensure the binary is what you expect; (3) only provide API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN) for services you trust and intend to use; (4) inspect or sandbox the tool before granting it access to sensitive files or system-level permissions; and (5) note the minor metadata mismatch (ownerId) in the package metadata — consider confirming the publisher identity if that matters to you.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9770ys67vpw8cja651vjp7451810nda

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binssummarize

Install

Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize

SKILL.md

Summarize

Fast CLI to summarize URLs, local files, and YouTube links.

Quick start

summarize "https://example.com" --model google/gemini-3-flash-preview
summarize "/path/to/file.pdf" --model google/gemini-3-flash-preview
summarize "https://youtu.be/dQw4w9WgXcQ" --youtube auto

Model + keys

Set the API key for your chosen provider:

  • OpenAI: OPENAI_API_KEY
  • Anthropic: ANTHROPIC_API_KEY
  • xAI: XAI_API_KEY
  • Google: GEMINI_API_KEY (aliases: GOOGLE_GENERATIVE_AI_API_KEY, GOOGLE_API_KEY)

Default model is google/gemini-3-flash-preview if none is set.

Useful flags

  • --length short|medium|long|xl|xxl|<chars>
  • --max-output-tokens <count>
  • --extract-only (URLs only)
  • --json (machine readable)
  • --firecrawl auto|off|always (fallback extraction)
  • --youtube auto (Apify fallback if APIFY_API_TOKEN set)

Config

Optional config file: ~/.summarize/config.json

{ "model": "openai/gpt-5.2" }

Optional services:

  • FIRECRAWL_API_KEY for blocked sites
  • APIFY_API_TOKEN for YouTube fallback

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…