get-tldr
v1.0.0Provide the summary returned by the get-tldr.com summarize API without further summarization; the skill should format the API output for readability but must not change its content.
⭐ 2· 4k·20 current·21 all-time
by@itobey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the actual behavior: the bundled Python script posts the provided URL to https://www.get-tldr.com/api/v1/summarize and returns the service JSON. Reading an API key from a config file, env var, or .env is consistent with calling an external summarize API.
Instruction Scope
SKILL.md instructs the agent to call the bundled script and not to re-summarize the API output — that is consistent. However, the script appends a log entry containing the timestamp, sent payload (the URL) and the full response to a logfile (default ~/.config/get-tldr/skill.log). That behavior is not emphasized in the high-level description and can capture sensitive URLs or returned content; user-facing instructions don't clearly call out the privacy implications.
Install Mechanism
This is an instruction-only skill with a bundled Python script and no install spec or remote downloads. The only runtime dependency is the requests Python library; the script error-exits with a message if requests is missing. No external installers, package pulls, or arbitrary downloads are present.
Credentials
The script requires an API key (config file ~/.config/get-tldr/config.json, GET_TLDR_API_KEY env var, or a .env in the skill folder), but the registry metadata lists no required env vars and no primary credential. That mismatch is an explicit inconsistency. Also, the script reads and writes files under the user's home (~/.config/get-tldr) and can read a local .env in the skill folder; these accesses are reasonable for configuration but should be disclosed.
Persistence & Privilege
The skill does not request always:true or special platform privileges and does not modify other skills. It does create/append a logfile and reads a config file in ~/.config/get-tldr by default — persistent on-disk logging of URLs/responses is the notable persistent behavior to consider.
What to consider before installing
This skill is coherent with its stated purpose (calling get-tldr.com) but has two practical concerns you should address before installing or using it: (1) It requires an API key (config or GET_TLDR_API_KEY), yet the registry metadata does not declare this — make sure you supply the key securely and update metadata if you publish it. (2) By default the script logs the sent URL and the entire API response to ~/.config/get-tldr/skill.log (unless configured otherwise). That log can contain sensitive URLs or returned content. Recommended actions: confirm where you will store the API key (prefer an OS secret manager or a secure config file), inspect and/or modify get_tldr.py if you want to disable or relocate logging, set a restrictive logfile path and file permissions, ensure the requests dependency is available in a controlled environment, and consider limiting automatic/autonomous invocation of the skill if you are concerned about repeated background requests. If the registry owner updates the metadata to declare the required credential and the logging behavior is disclosed or made configurable, the concerns would be largely addressed.Like a lobster shell, security has layers — review code before you run it.
latestvk972j221yz0g3pv9ytxqytjhj9808a7g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.