0512-03-tos2-skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: 0512-03-tos2-skill Version: 1.0.1 The skill bundle provides documentation and installation instructions for a legitimate summarization CLI tool (summarize.sh). It utilizes standard environment variables for LLM API keys and provides installation via a known Homebrew tap (steipete/tap/summarize). No malicious code, data exfiltration, or suspicious prompt-injection instructions were identified in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the CLI may use your model provider account and quota when summarizing content.
The skill expects users to provide third-party provider API keys. This is appropriate for a model-backed summarization CLI, but those keys can incur costs and access provider accounts.
Set the API key for your chosen provider: - OpenAI: `OPENAI_API_KEY` - Anthropic: `ANTHROPIC_API_KEY` - xAI: `XAI_API_KEY` - Google: `GEMINI_API_KEY`
Use only the provider keys you intend to use, prefer least-privilege or usage-limited keys where available, and monitor provider billing or usage.
Documents, PDFs, images, audio, or URLs you ask it to summarize may be handled by the chosen model or extraction service.
The skill can process local files and uses provider API keys documented in the same file, so user-selected file contents may be sent to external services for summarization.
Fast CLI to summarize URLs, local files, and YouTube links.
Do not summarize confidential files unless you trust the selected provider and its data-handling terms; review the CLI/provider settings before use.
Trust depends on the external Homebrew tap and the summarize CLI it installs.
The skill installs and relies on an external Homebrew formula rather than included code. This is expected for a CLI wrapper, but the reviewed artifacts do not include the formula or binary contents.
install: [{"id":"brew","kind":"brew","formula":"steipete/tap/summarize","bins":["summarize"]Install only if you trust the Homebrew tap and homepage, and consider reviewing the formula or pinning versions in sensitive environments.
The package metadata is slightly inconsistent, which may make it harder to confirm the exact published artifact lineage.
The packaged _meta.json identifies a different slug/version than the registry entry under evaluation. This is a provenance/coherence gap, not evidence of malicious runtime behavior.
"slug": "summarize", "version": "1.0.0"
The publisher should align embedded metadata with the registry record in future releases.