Scan Report
15 /100
li-summarize
使用国内 OpenAI 兼容 API 快速总结 URLs、本地文件、YouTube 链接
Legitimate URL/file summarization CLI wrapper with proper declared capabilities and no malicious behavior. API key examples in docs are clearly placeholders.
Safe to install
Skill is safe to use. No action required. Consider adding explicit script documentation in SKILL.md for transparency.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Install scripts not documented in SKILL.md Doc Mismatch | SKILL.md:1 |
| Low | Placeholder API key patterns in documentation flagged Credential Theft | SKILL.md:30 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md metadata + scripts/install.sh lines 17-25 create ~/.summarize config |
| Network | READ | READ | ✓ Aligned | SKILL.md documents API calls to LLM providers for summarization |
| Shell | WRITE | WRITE | ✓ Aligned | install.sh line 14: npm install -g @steipete/summarize |
| Environment | READ | READ | ✓ Aligned | setup.sh lines 11-13 read OPENAI_BASE_URL, OPENAI_API_KEY, SUMMARIZE_MODEL |
| Skill Invoke | NONE | NONE | — | No skill invocation detected |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser access detected |
| Database | NONE | NONE | — | No database access detected |
4 High 22 findings
High API Key 疑似硬编码凭证
API_KEY="your-bce-api-key" SKILL.md:30 High API Key 疑似硬编码凭证
API_KEY="your-bce-v3-api-key" SKILL.md:204 High API Key 疑似硬编码凭证
API_KEY="your-dashscope-api-key" SKILL.md:214 High API Key 疑似硬编码凭证
API_KEY="your-deepseek-api-key" SKILL.md:223 Medium External URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1 SKILL.md:5 Medium External URL 外部 URL
https://qianfan.baidubce.com/v2 SKILL.md:16 Medium External URL 外部 URL
https://hunyuancloud.tencent.com/api/v3 SKILL.md:54 Medium External URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3 SKILL.md:64 Medium External URL 外部 URL
https://api.moonshot.cn/v1 SKILL.md:74 Medium External URL 外部 URL
https://api.deepseek.com/v1 SKILL.md:84 Medium External URL 外部 URL
https://open.bigmodel.cn/api/paas/v4 SKILL.md:94 Medium External URL 外部 URL
https://api.minimax.chat/v1 SKILL.md:105 Medium External URL 外部 URL
https://api.stepfun.com/v1 SKILL.md:115 Medium External URL 外部 URL
http://your-oneapi-server:3000/v1 SKILL.md:135 Medium External URL 外部 URL
https://news.ycombinator.com SKILL.md:160 Medium External URL 外部 URL
https://youtube.com/watch?v=xxx SKILL.md:163 Medium External URL 外部 URL
https://summarize.sh SKILL.md:261 Medium External URL 外部 URL
https://cloud.baidu.com/product/wenxinworkshop SKILL.md:262 Medium External URL 外部 URL
https://dashscope.aliyuncs.com/ SKILL.md:263 Medium External URL 外部 URL
https://cloud.tencent.com/product/hunyuan SKILL.md:264 Medium External URL 外部 URL
https://platform.deepseek.com/ SKILL.md:265 Medium External URL 外部 URL
https://open.bigmodel.cn/ SKILL.md:266 File Tree
3 files · 11.9 KB · 443 lines Markdown 1f · 265L
Shell 2f · 178L
├─
▾
scripts
│ ├─
install.sh
Shell
│ └─
setup.sh
Shell
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@steipete/summarize | latest | npm | No | Version not pinned, uses latest |
Security Positives
✓ No credential harvesting or exfiltration detected - API keys are only used for intended LLM API calls
✓ All capabilities (filesystem WRITE, shell, network) are declared in SKILL.md metadata
✓ No obfuscation techniques (base64, eval, etc.) found
✓ No sensitive path access (~/.ssh, ~/.aws, etc.) detected
✓ No reverse shell, C2, or data theft behavior
✓ npm package is documented and from a legitimate source (@steipete/summarize)
✓ Config files are stored in user-specified location (~/.summarize) - user has control
✓ Environment variable usage is documented and follows standard practices