ClawHub
Back to skill
v1.0.0

summarizer2

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

This skill is a straightforward wrapper for an external summarization CLI, with disclosed use of provider API keys and optional extraction services.

GuidanceThis skill appears coherent and purpose-aligned. Before installing, make sure you trust the summarize CLI Homebrew package, configure only the provider keys you intend to use, and avoid summarizing private files or sensitive links unless you are comfortable sending that content to the selected AI or extraction services.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
install spec
brew | formula: steipete/tap/summarize | creates binaries: summarize

The skill depends on installing an external Homebrew package to provide its core CLI. This is purpose-aligned, but users should recognize that the installed binary is outside the provided skill artifact.

User impactThe actual summarization behavior comes from the installed summarize CLI package.
RecommendationInstall only if you trust the Homebrew tap and the summarize CLI source.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Set the API key for your chosen provider: - OpenAI: `OPENAI_API_KEY` - Anthropic: `ANTHROPIC_API_KEY` - xAI: `XAI_API_KEY` - Google: `GEMINI_API_KEY`

The skill documents use of model-provider API keys. This is expected for a summarization CLI, but these credentials allow access to paid or account-bound services.

User impactUsing the skill may spend quota or incur charges on whichever provider key you configure.
RecommendationUse scoped API keys where possible, monitor provider usage, and avoid exposing keys in shared shells or logs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
`--firecrawl auto|off|always` (fallback extraction) ... `--youtube auto` (Apify fallback if `APIFY_API_TOKEN` set)

The skill discloses optional use of third-party extraction services for blocked sites and YouTube fallback. This is aligned with the summarization purpose, but it means URLs or extracted content may be handled by external services.

User impactWeb pages, YouTube links, or extracted content may be sent to external providers depending on the options and tokens configured.
RecommendationDo not use this skill on confidential URLs or files unless you are comfortable with the configured model and extraction providers processing that content.