iBlipper Expressive Typography - Remember reading is automatic!
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s animation-link purpose is clear, but its optional CLI helper can execute injected Python code if given a specially crafted message.
This skill is reasonable for making short animated message links, but avoid running its shell script on untrusted text until the encoding bug is fixed. Use non-sensitive messages, since generated links point to an external web app and may be shared or saved in browser history.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the helper script on untrusted or adversarial message text, that text could trigger local code execution under the user's account.
The user-provided message is embedded directly into Python source code instead of being passed as a data argument. A message containing a closing triple-quote sequence could break out of the string and run Python statements locally.
python3 -c "import urllib.parse; print(urllib.parse.quote_plus('''$text'''))"Do not run the CLI helper on untrusted text until fixed. The script should pass the message as an argument, for example using python3 -c 'import urllib.parse,sys; print(urllib.parse.quote_plus(sys.argv[1]))' "$text".
Animated links will open code hosted outside the skill package, and the message text will be visible in the generated URL and to the page running in the browser.
The skill’s main output depends on a remote GitHub Pages app whose implementation is not included in the reviewed artifacts. This is expected for a link-generator skill, but it is still an external dependency.
**Base URL:** `https://andyed.github.io/iblipper2025/`
Use this for non-sensitive short messages, and review or trust the external site before relying on it for important communications.
If used, the agent may open an external web page and create a file in Downloads for attachment.
The optional GIF workflow asks the agent to open a browser to an external URL and then find a downloaded GIF. This is purpose-aligned, but it uses browser automation and local downloads.
browser action=open targetUrl="https://andyed.github.io/iblipper2025/?export=gif#text=Hello&emotion=emphatic" profile=chrome
Only use GIF export when you want a downloaded file, and review the generated file before sharing it.