Back to skill
Skillv1.0.3
ClawScan security
tencentcli-test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 3:35 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be a CLI wrapper for the 'summarize' tool and its instructions are consistent with that purpose, but metadata/name mismatches and minor provenance gaps make the package suspicious until you verify its source and brew formula.
- Guidance
- Before installing: (1) Verify the brew tap 'steipete/tap' and the summarize formula source and checksum on the Homebrew tap or GitHub repo to ensure you're installing the intended package. (2) The package expects you to provide LLM/provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY) and optional FIRECRAWL/APIFY tokens; only provide keys you trust it to use. (3) Check ~/.summarize/config.json after installation for stored secrets and set tight file permissions if you store keys there. (4) The skill package name ('tencentcli-test') and the differing ownerId in _meta.json look inconsistent with the summarize content — ask the publisher for clarification or prefer an officially published 'summarize' package from a known source. If you cannot verify the tap/source, treat the install as higher risk.
Review Dimensions
- Purpose & Capability
- concernThe skill description and SKILL.md describe a 'summarize' CLI. However the skill package name ('tencentcli-test') and the registry ownerId differ from the ownerId embedded in _meta.json, which is an incoherence in metadata/provenance. The declared required binary (summarize) and the reported homepage (summarize.sh) are consistent with the described capability.
- Instruction Scope
- noteSKILL.md gives explicit runtime instructions to invoke the 'summarize' CLI and documents optional config (~/.summarize/config.json) and provider API env vars. It does not instruct the agent to access unrelated system files or secrets, but it does reference multiple environment variables and an optional config file (which may contain API keys) that are not listed as required in the registry metadata — these are optional from the tool's perspective but worth noting.
- Install Mechanism
- okInstall uses a Homebrew formula (steipete/tap/summarize). A brew formula is a low-risk, common install mechanism compared with arbitrary downloads; verify the tap and formula source before installing (see user guidance).
- Credentials
- noteThe skill does not require env vars to be present, but SKILL.md documents several provider keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY) plus optional FIRECRAWL_API_KEY and APIFY_API_TOKEN. These align with the tool's purpose (calling LLM/image/audio extraction services) and are proportionate, but they do mean the tool will use whatever keys you supply and may store config under ~/.summarize.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It does reference a per-user config file, which is normal for a CLI.