Is summarize safe?

https://clawhub.ai/skill/summarize

82
SAFE

The summarize skill is a documentation-only wrapper around a legitimate CLI tool installed via a personal Homebrew tap. It contains no prompt injection, hidden code, or malicious behavior. The primary risk is inherent to its design: it sends local file content to external LLM APIs for summarization, which creates a data flow pipeline that could be misused in multi-skill environments. The third-party Homebrew tap (steipete) introduces supply chain trust dependency.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM Skill normalizes sending local file content to external APIs -15

The skill's core purpose is to send local files and URLs to third-party LLM providers (OpenAI, Anthropic, Google, xAI) for summarization. While this is the intended functionality, it creates a data pipeline where an agent could be directed to summarize sensitive files, sending their content to external services. The skill documents this as normal behavior with examples like 'summarize "/path/to/file.pdf"'.

MEDIUM Multiple API key environment variables referenced -13

The skill references 7 different API key environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, GOOGLE_API_KEY, FIRECRAWL_API_KEY, APIFY_API_TOKEN). While contextually appropriate, this normalizes the agent accessing and potentially exposing these sensitive credentials in its operational context.

MEDIUM Third-party Homebrew tap installation -15

The skill installs a binary from a personal Homebrew tap (steipete/tap/summarize) rather than Homebrew core. Personal taps receive less community scrutiny than core formulae. The security of the installed binary depends entirely on the tap maintainer (steipete).

LOW External homepage reference -5

The skill references an external homepage (https://summarize.sh) in its metadata. While this is informational and not an instruction for the agent to fetch, it could potentially be used in social engineering if the domain content changes.

LOW Shell command execution is core functionality -7

The skill's purpose requires the agent to execute shell commands (the summarize CLI). This is inherent to the skill's design but means the agent will be running external binaries with user-level permissions.

LOW External TLS connection during installation -12

A TLS connection to 216.150.1.1:443 was observed during skill installation. This is likely Homebrew tap resolution or related infrastructure. The connection is encrypted and appears legitimate but represents external network activity during clone.

LOW Skill references config file in user home directory -10

The skill documents a config file at ~/.summarize/config.json. While this is standard CLI behavior, it means the agent may read or suggest creating files in the user's home directory.

INFO Potential for indirect exfiltration via summarization -10

In a multi-skill environment, a malicious skill could write sensitive data to a temporary file, then the agent could be prompted to 'summarize' that file, effectively sending the data to an external LLM provider. This is a composition risk rather than a direct skill vulnerability.

INFO Firecrawl and Apify integration expand network reach -20

The --firecrawl and --youtube flags enable the CLI to use additional third-party services (Firecrawl for web scraping, Apify for YouTube), further expanding the network footprint beyond the primary LLM providers.