Back to skill
Skillv1.0.0
ClawScan security
20206 02 10 Clawhub Summarize 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 6:04 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a CLI wrapper for the 'summarize' tool and requests only the binaries and optional provider API keys you would expect, though there are small metadata/install-source inconsistencies you should verify before installing.
- Guidance
- This skill is an instruction wrapper around the 'summarize' CLI and appears coherent with that purpose. Before installing: (1) verify the Homebrew tap/formula source (steipete/tap) matches the project at the homepage (https://summarize.sh) or an official repository; (2) review the brew formula or upstream release to ensure the binary is what you expect; (3) only provide API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN) for services you trust and intend to use; (4) inspect or sandbox the tool before granting it access to sensitive files or system-level permissions; and (5) note the minor metadata mismatch (ownerId) in the package metadata — consider confirming the publisher identity if that matters to you.
Review Dimensions
- Purpose & Capability
- okName/description match the requested binary and usage: the skill is an instruction-only wrapper that requires the 'summarize' CLI. The referenced provider API keys and optional config path (~/.summarize/config.json) are coherent with a summarization tool. Note: _meta.json ownerId differs from the registry ownerId, which is an inconsistency in metadata worth verifying, and the install uses a third-party Homebrew tap (steipete/tap) rather than homebrew-core or a direct official release.
- Instruction Scope
- okSKILL.md limits actions to invoking the summarize CLI on URLs/files and instructs which environment variables to set for different LLM providers. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints beyond the documented provider services and optional Apify/Firecrawl services.
- Install Mechanism
- noteInstall is via a Homebrew formula (steipete/tap/summarize) which is a reasonable, common mechanism. Because it's from a third‑party tap rather than the official homebrew-core, verify the tap/formula source (and that it corresponds to the summarize.sh project) before installing; third-party taps carry more supply-chain risk than official taps.
- Credentials
- okSKILL.md references multiple provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, plus optional FIRECRAWL_API_KEY and APIFY_API_TOKEN). These are proportional and expected for a CLI that calls external LLMs and fallback web-extraction services. The skill does not declare required env vars up front, which is acceptable because keys are optional and provider-dependent, but you should only supply keys for providers you intend to use.
- Persistence & Privilege
- okalways is false and there are no instructions to modify other skills or system-wide agent settings. The skill references an optional per-user config file (~/.summarize/config.json) which is normal for a CLI tool.