ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Summarize Garrison

v1.0.0

Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).

0· 17·1 current·1 all-time
by@securecloudprojo·fork of @garrisongg/summarize-1-0-0 (1.0.0)·canonical: @pin-alt/20206-02-10-clawhub-summarize-1-0-0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared requirements: the skill requires a 'summarize' CLI binary and the SKILL.md documents exactly how to call it for URLs, PDFs, images, audio, and YouTube. Requiring provider API keys (OpenAI, Anthropic, xAI, Google) and optional Firecrawl/Apify tokens is consistent with a summarization tool that forwards content to LLMs and extraction services.
Instruction Scope
SKILL.md is instruction-only and tells the agent to run the summarize CLI on URLs and local files; it references ~/.summarize/config.json and environment variables for model keys and optional FIRECRAWL/APIFY keys. This is coherent, but implies local files and scraped content will be transmitted to third-party LLMs/extraction services—an expected functional behavior but a privacy/data-exfiltration risk for sensitive inputs. There are no instructions to read unrelated system files or secrets.
Install Mechanism
Install uses a Homebrew formula 'steipete/tap/summarize' (third-party tap). Installing a binary from a non-core tap is relatively common but carries more provenance risk than an official core formula or vetted release; the installer will place a binary on disk (normal for a CLI). No direct arbitrary URL downloads or archive extraction were specified.
Credentials
The registry metadata lists no required env vars, and SKILL.md documents optional/expected provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY and aliases) plus optional FIRECRAWL_API_KEY and APIFY_API_TOKEN. These environment variables are appropriate for a tool that calls external LLM/APIs and extraction services; the number and types of keys requested are proportionate to the stated functionality.
Persistence & Privilege
Skill is not always-enabled, does not request elevated or cross-skill configuration changes, and is instruction-only (no embedded code that modifies agent settings). No indications it writes to or modifies other skills' configurations.
What to consider before installing
Before installing: 1) Understand that the summarize CLI will send local files and fetched webpage/audio/video content to external LLM providers and optional services (Firecrawl/Apify)—do not use on sensitive data unless you trust those endpoints and policies. 2) The brew install comes from a third‑party tap (steipete/tap) rather than Homebrew core—verify the tap and review the formula/binary provenance (or build from source) before trusting it. 3) Confirm which API keys you set are limited in scope and rotate/revoke them if you later uninstall. 4) Note a small packaging inconsistency in the included _meta.json owner/version metadata—this could be an innocuous packaging issue but worth verifying the publisher/homepage (https://summarize.sh) before proceeding. 5) If unsure, test the tool on non-sensitive inputs and inspect the installed binary or formula source first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bsfa3nnwjtj51hd0s8qymxh84nyec

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binssummarize

Install

Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize

Comments