0512-03-tos2-skill
PassAudited by ClawScan on May 12, 2026.
Overview
This is a coherent summarization skill, but it relies on an external Homebrew-installed CLI and provider API keys, so users should only summarize files or URLs they are comfortable sending to the chosen services.
This skill appears benign and purpose-aligned. Before installing, make sure you trust the summarize Homebrew tap and only provide API keys and files you are comfortable using with the selected model, Firecrawl, or Apify services.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the CLI may use your model provider account and quota when summarizing content.
The skill expects users to provide third-party provider API keys. This is appropriate for a model-backed summarization CLI, but those keys can incur costs and access provider accounts.
Set the API key for your chosen provider: - OpenAI: `OPENAI_API_KEY` - Anthropic: `ANTHROPIC_API_KEY` - xAI: `XAI_API_KEY` - Google: `GEMINI_API_KEY`
Use only the provider keys you intend to use, prefer least-privilege or usage-limited keys where available, and monitor provider billing or usage.
Documents, PDFs, images, audio, or URLs you ask it to summarize may be handled by the chosen model or extraction service.
The skill can process local files and uses provider API keys documented in the same file, so user-selected file contents may be sent to external services for summarization.
Fast CLI to summarize URLs, local files, and YouTube links.
Do not summarize confidential files unless you trust the selected provider and its data-handling terms; review the CLI/provider settings before use.
Trust depends on the external Homebrew tap and the summarize CLI it installs.
The skill installs and relies on an external Homebrew formula rather than included code. This is expected for a CLI wrapper, but the reviewed artifacts do not include the formula or binary contents.
install: [{"id":"brew","kind":"brew","formula":"steipete/tap/summarize","bins":["summarize"]Install only if you trust the Homebrew tap and homepage, and consider reviewing the formula or pinning versions in sensitive environments.
The package metadata is slightly inconsistent, which may make it harder to confirm the exact published artifact lineage.
The packaged _meta.json identifies a different slug/version than the registry entry under evaluation. This is a provenance/coherence gap, not evidence of malicious runtime behavior.
"slug": "summarize", "version": "1.0.0"
The publisher should align embedded metadata with the registry record in future releases.