Summarize
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a straightforward wrapper for a summarization CLI, but users should verify the external installer and remember that chosen files, URLs, and API keys may be handled by third-party services.
Before installing, verify that you trust the summarize Homebrew formula and the associated project. Use scoped API keys, avoid summarizing confidential content unless your provider policy allows it, and confirm the metadata mismatch is expected.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may lead the user to install and run an external CLI package.
The skill depends on an externally installed Homebrew CLI rather than bundled reviewed code. That is coherent with a CLI-wrapper skill, but the installed formula is the runtime trust boundary.
brew | formula: steipete/tap/summarize | creates binaries: summarize
Verify the Homebrew formula and homepage before installing, and keep the CLI updated from a trusted source.
The package identity is slightly ambiguous, which can make it harder to confirm the exact publisher/version lineage.
This package metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. That is a provenance/coherence note, not direct evidence of malicious behavior.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "summarize", "version": "1.0.0"
Confirm that the registry entry, package metadata, and external project are the expected ones before installing.
Provider keys could incur usage costs or expose account access if misconfigured or mishandled.
The skill instructs users to provide provider API keys. This is expected for an LLM summarization CLI, but credentials grant access to third-party accounts and are not declared in the registry env-var metadata.
Set the API key for your chosen provider: - OpenAI: `OPENAI_API_KEY` - Anthropic: `ANTHROPIC_API_KEY` - xAI: `XAI_API_KEY` - Google: `GEMINI_API_KEY`
Use provider-specific, least-privilege keys where possible and avoid placing secrets in shared logs, prompts, or files.
Private documents, URLs, transcripts, or media content may be sent to the chosen model or extraction provider during summarization.
The documented workflow summarizes local files using an external model provider. This is central to the skill's purpose, but users should recognize that selected file contents may be processed outside the local machine.
summarize "/path/to/file.pdf" --model google/gemini-3-flash-preview
Only summarize content you are allowed to share with the selected provider, and review provider privacy and retention settings for sensitive data.