ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

charmia-test-0428-01

v1.0.1

Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).

0· 17·0 current·0 all-time
byyuangui@yinwuzhe·duplicate of @pin-alt/20206-02-10-clawhub-summarize-1-0-0

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yinwuzhe/charmia-test-0428-01.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "charmia-test-0428-01" (yinwuzhe/charmia-test-0428-01) from ClawHub.
Skill page: https://clawhub.ai/yinwuzhe/charmia-test-0428-01
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: summarize
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install charmia-test-0428-01

ClawHub CLI

Package manager switcher

npx clawhub@latest install charmia-test-0428-01
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the skill is an instruction-only wrapper for the 'summarize' CLI. Requiring the 'summarize' binary and providing a brew install for it is appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs the agent to use the summarize CLI and lists environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN) and an optional config file (~/.summarize/config.json). Those are relevant to the CLI but are not declared in requires.env; the instructions do not attempt to read unrelated system files or contact unexpected endpoints, but they do rely on user-provided secrets and local config.
!
Install Mechanism
The install spec uses a brew formula (steipete/tap/summarize). brew installs are common, but this is a third‑party tap rather than an official/homebrew core formula. This increases risk because the binary will be installed and executed on the host; the skill bundle contains no code to audit.
!
Credentials
No required env vars are declared in the registry metadata, yet SKILL.md documents multiple provider API keys and optional tokens. These env vars are directly relevant to the CLI’s functionality (models/providers, firecrawl/apify fallbacks), but the discrepancy between declared requirements and runtime expectations is worth noting. If you set keys, the installed binary could use them; ensure you trust the source before supplying credentials.
Persistence & Privilege
The skill does not request always:true and is not requesting to modify other skills or system-wide settings. It mentions an optional per-user config file (~/.summarize/config.json) which is normal for a CLI.
What to consider before installing
This skill is an instruction-only wrapper around a CLI named 'summarize'. Before installing or running it: 1) Verify you trust the brew tap (steipete/tap) — prefer official/homebrew/core formulas or inspect the formula/source on GitHub. 2) Be cautious about supplying API keys (OpenAI, Anthropic, xAI, Google GEMINI, FIRECRAWL, APIFY): the installed binary will use any keys present in your environment or in ~/.summarize/config.json. 3) If possible, review the brew formula or run the binary in a sandbox/container before giving it credentials or running it on sensitive machines. 4) Note the small metadata inconsistency (ownerId differs in _meta.json vs registry metadata) — likely benign but worth a quick check of the upstream project page (https://summarize.sh) and the brew formula source to confirm you’re getting the expected software.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧾 Clawdis
Binssummarize

Install

Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize
latestvk9791xsd40p2378jsrx0th1txn85qrs2
17downloads
0stars
1versions
Updated 8h ago
v1.0.1
MIT-0
yuangui@yinwuzhe
latest
Download

Summarize

Fast CLI to summarize URLs, local files, and YouTube links.

Quick start

summarize "https://example.com" --model google/gemini-3-flash-preview
summarize "/path/to/file.pdf" --model google/gemini-3-flash-preview
summarize "https://youtu.be/dQw4w9WgXcQ" --youtube auto

Model + keys

Set the API key for your chosen provider:

  • OpenAI: OPENAI_API_KEY
  • Anthropic: ANTHROPIC_API_KEY
  • xAI: XAI_API_KEY
  • Google: GEMINI_API_KEY (aliases: GOOGLE_GENERATIVE_AI_API_KEY, GOOGLE_API_KEY)

Default model is google/gemini-3-flash-preview if none is set.

Useful flags

  • --length short|medium|long|xl|xxl|<chars>
  • --max-output-tokens <count>
  • --extract-only (URLs only)
  • --json (machine readable)
  • --firecrawl auto|off|always (fallback extraction)
  • --youtube auto (Apify fallback if APIFY_API_TOKEN set)

Config

Optional config file: ~/.summarize/config.json

{ "model": "openai/gpt-5.2" }

Optional services:

  • FIRECRAWL_API_KEY for blocked sites
  • APIFY_API_TOKEN for YouTube fallback

Comments

Loading comments...