iBlipper Expressive Typography - Remember reading is automatic!
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: iblipper Version: 1.0.1 The skill bundle is classified as suspicious due to the presence of shell access capabilities, even though they are used for seemingly benign purposes. Specifically, the `SKILL.md` instructs the agent to execute a shell command (`ls -t ~/Downloads/iblipper_*.gif | head -1`) to locate a downloaded GIF, and the `scripts/iblipper.sh` file is a shell script that utilizes `bash` and `python3` for URL encoding. While these actions are plausibly aligned with the stated purpose of generating and managing animated text, the underlying shell access represents a high-risk capability without clear malicious intent, thus warranting a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the helper script on untrusted or adversarial message text, that text could trigger local code execution under the user's account.
The user-provided message is embedded directly into Python source code instead of being passed as a data argument. A message containing a closing triple-quote sequence could break out of the string and run Python statements locally.
python3 -c "import urllib.parse; print(urllib.parse.quote_plus('''$text'''))"Do not run the CLI helper on untrusted text until fixed. The script should pass the message as an argument, for example using python3 -c 'import urllib.parse,sys; print(urllib.parse.quote_plus(sys.argv[1]))' "$text".
Animated links will open code hosted outside the skill package, and the message text will be visible in the generated URL and to the page running in the browser.
The skill’s main output depends on a remote GitHub Pages app whose implementation is not included in the reviewed artifacts. This is expected for a link-generator skill, but it is still an external dependency.
**Base URL:** `https://andyed.github.io/iblipper2025/`
Use this for non-sensitive short messages, and review or trust the external site before relying on it for important communications.
If used, the agent may open an external web page and create a file in Downloads for attachment.
The optional GIF workflow asks the agent to open a browser to an external URL and then find a downloaded GIF. This is purpose-aligned, but it uses browser automation and local downloads.
browser action=open targetUrl="https://andyed.github.io/iblipper2025/?export=gif#text=Hello&emotion=emphatic" profile=chrome
Only use GIF export when you want a downloaded file, and review the generated file before sharing it.