ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-0327-01

v1.0.0

Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).

0· 44·0 current·0 all-time
byyuangui@yinwuzhe·duplicate of @pin-alt/20206-02-10-clawhub-summarize-1-0-0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual runtime behavior: the skill is instruction-only and calls a 'summarize' CLI to summarize web pages, PDFs, images, audio, and YouTube links. Requiring the 'summarize' binary and providing a brew install for it is coherent with the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent to run the summarize CLI and to use provider API keys and an optional config file (~/.summarize/config.json). Those runtime instructions reference environment variables and a home-directory config file that are not declared in the skill metadata. The instructions also mention fallbacks that use external services (Apify, Firecrawl), meaning content will be sent to third-party providers — expected for this use case but not documented in the metadata.
Install Mechanism
Install is via brew formula 'steipete/tap/summarize' which is a third-party tap. Brew installs are common, but third-party taps are less vetted than official repositories; the install will create a binary named 'summarize'. There is no checksum or source repo/link provided in the skill metadata for verification.
!
Credentials
SKILL.md lists multiple provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY and aliases) plus optional FIRECRAWL_API_KEY and APIFY_API_TOKEN and references a home config file. However, requires.env in the skill metadata lists no environment variables and required config paths are empty. This mismatch means the skill may expect sensitive credentials or read a config from your home directory even though metadata doesn't declare those requirements.
Persistence & Privilege
The skill is not marked 'always', does not request persistent elevated privileges, and is instruction-only (no code files written by the skill). Nothing indicates it will modify other skills or system-wide agent settings.
What to consider before installing
What to consider before installing: 1) The CLI will contact external model providers (OpenAI, Anthropic, Google/xAI) and optional services (Apify, Firecrawl). Only provide API keys you trust and that have minimal privileges. 2) SKILL.md references environment variables and a home config file (~/.summarize/config.json) but the skill metadata does not declare them — expect the installed CLI to read that file and use any API keys in your environment. 3) The installer is a third-party brew tap (steipete/tap). If you plan to install, review the brew formula and upstream repository (and checksum/signature if available) before installing, or build from source yourself. 4) If you need higher confidence, ask the publisher for the upstream source repo, release hashes, and the brew formula link or check the binary in a sandboxed environment first. 5) Note the registry ownerId in the registry metadata differs from the ownerId inside _meta.json; this mismatch is not necessarily malicious but is worth confirming with the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk974yyc0pwyfchgh937krqeskx83p8t9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binssummarize

Install

Install summarize (brew)
Bins: summarize
brew install steipete/tap/summarize

Comments