Summarize
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is more than a summarizer: it gives an agent a broad API key to call many external models, including batch email and SMS, with limited scoping or provenance details.
Review this carefully before installing. It may be useful as a broad AI API gateway, but it is not limited to summarization. Use a restricted API key if possible, avoid sending sensitive files unless you accept external processing, and require explicit approval before any email, SMS, or other high-impact action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could send messages to real recipients or trigger account costs and reputational harm.
The skill exposes high-impact communication actions, including batch email and batch SMS, but the artifacts do not show explicit user confirmation, recipient scoping, rate limits, or rollback guidance.
`email/send` | Send single email ... `email/batch` | Send batch emails ... `prelude/notify-batch` | Batch SMS notifications
Separate messaging capabilities from summarization or require explicit per-recipient user approval and clear limits before any email or SMS send.
Installing the skill may let the agent use one credential for many paid or sensitive actions across multiple providers.
The required API key is presented as a broad credential for many providers and model types, not just a narrowly scoped summarization credential.
One API key, 50+ models across providers ... Call any model directly by ID ... Auth: `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`
Use the least-privileged key available, restrict enabled model types where possible, and monitor billing and audit logs for this credential.
The command may fail, or an agent could run an unrelated local run.mjs if one exists in the environment.
The documentation references a run.mjs helper, while the package is instruction-only with no install spec or code file providing that command.
run.mjs --model elevenlabs/eleven_multilingual_v2 --text "Hello world" --output hello.mp3
Provide a pinned, reviewed helper or replace these examples with explicit curl commands and document any required binaries.
Files, URLs, audio, or prompts sent for summarization or generation may leave the local environment and be processed by external services.
The skill is designed to send user-provided content through the SkillBoss API and potentially onward to automatically selected upstream providers.
Summarize URLs or files ... PDFs, images, audio, YouTube ... 50+ models across providers ... smart routing to auto-select
Use only with content you are comfortable sending to the provider, prefer explicit model/provider selection for sensitive data, and review SkillBoss retention and privacy terms.