Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
My Summarize
v1.0.2Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).
⭐ 0· 71·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to summarize URLs/files using the 'summarize' CLI — requiring that binary is coherent. However, the registry metadata lists no required environment variables while the SKILL.md explicitly documents multiple API key environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY and optional FIRECRAWL_API_KEY / APIFY_API_TOKEN). That mismatch means the skill may need secrets at runtime even though none are declared.
Instruction Scope
SKILL.md stays within the stated purpose: it shows CLI usage for web pages, PDFs, images, audio, and YouTube and references a config file (~/.summarize/config.json). It also documents optional fallbacks that use external services (Apify for YouTube; Firecrawl for blocked sites). The instructions do not ask the agent to read unrelated system files, but they do allow uploading content to third-party services and expect the agent to use provider API keys, so users should understand content and metadata may be sent outside the machine.
Install Mechanism
Install is via a Homebrew formula (steipete/tap/summarize). A brew formula is a common install method, but this is a third-party tap (not an official core formula), which raises moderate risk: formula contents are not guaranteed to be reviewed by a large central authority. The installer will create a 'summarize' binary that will run on the system.
Credentials
Although the skill metadata declares no required env vars, SKILL.md expects multiple provider API keys and optional tokens. Requiring keys for multiple model providers and third-party services is proportionate to a multi-provider summarization CLI, but the fact that these are not declared in the skill registry is an inconsistency. The skill does not request unrelated secrets (no AWS, SSH, etc.), but it can access user-provided API keys and a config file in the user's home directory.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does reference and may read/write its own config file (~/.summarize/config.json) but does not appear to modify system-wide agent settings or other skills.
What to consider before installing
This skill is generally coherent with a summarization CLI, but proceed cautiously:
- The SKILL.md expects provider API keys (OpenAI/Anthropic/xAI/Google) and optional FIRECRAWL/APIFY tokens; the registry metadata didn't declare these — be prepared to supply keys and know they will be used.
- The installer is a Homebrew formula from a third-party tap (steipete/tap). Review that formula (and the summarize project's source) before installing to ensure the binary is trustworthy.
- The summarize binary may upload page contents, files, audio, or images to model providers or optional third-party services (Apify/Firecrawl). Do not summarize sensitive or confidential material unless you understand and trust where data is sent and stored.
- If you want higher assurance, inspect the summarize project source code or prefer an official/reputable distribution channel. If you need, ask the skill author to declare required env vars and provide the brew formula URL/source.Like a lobster shell, security has layers — review code before you run it.
latestvk977kmxgxtahr6q1b6bhje1cf983nvth
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧾 Clawdis
Binssummarize
Install
Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize