Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
skill-0415-05-zip自测过来
v1.0.1Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).
⭐ 0· 24·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an instruction-only wrapper for the 'summarize' CLI. Declaring the 'summarize' binary as required and offering a Homebrew formula to install it is consistent with the described functionality.
Instruction Scope
SKILL.md instructs the agent to run the summarize CLI against URLs/files and to use a config file at ~/.summarize/config.json. It also documents use of provider API keys and optional services (FIRECRAWL_API_KEY, APIFY_API_TOKEN). These instructions are within the tool's scope but reference user home config and environment variables that the skill metadata did not declare.
Install Mechanism
Install spec uses Homebrew formula 'steipete/tap/summarize'. Homebrew taps are a common install method but third‑party taps (non‑core) are higher risk than official packages because they pull code from an external repository; reviewers should inspect the tap's source before installing.
Credentials
Registry metadata declares no required environment variables, but SKILL.md expects API keys for multiple LLM providers (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY and aliases) and optional service tokens (FIRECRAWL_API_KEY, APIFY_API_TOKEN). Requesting or using these sensitive keys is plausible for the CLI, but the metadata omission reduces transparency and makes it easy to overlook credential usage/exfiltration risk.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes or modify other skills. Autonomous invocation is allowed by default (normal). The skill does reference a per-user config file (~/.summarize/config.json), which is expected for a CLI.
Scan Findings in Context
[NO_CODE_FILES] expected: This is an instruction-only skill with no code files; the regex-based scanner had nothing to analyze. That is expected but means runtime behavior depends entirely on the external 'summarize' binary and its install source.
What to consider before installing
This skill is plausible for summarizing content using an external CLI, but take three precautions before installing or enabling it: (1) Inspect the Homebrew tap/source for steipete/tap/summarize (the formula and its GitHub repo) to ensure the binary is trustworthy; (2) be aware that the CLI can use various LLM provider keys and optional service tokens — only provide API keys you trust and understand that summarized content may be sent to those providers; (3) note the skill will read a per-user config (~/.summarize/config.json) and may use any relevant environment variables present in the agent's environment, so avoid storing high‑privilege credentials there unless you trust the tool. If you want lower risk, do not set provider API keys (or run the CLI in an isolated environment) and review the installed binary before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97a0h7zm2s76b1g1edqc1kdvs84xxvm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧾 Clawdis
Binssummarize
Install
Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize