Skillv1.0.0

ClawScan security

Gif Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 7:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are coherent with its stated purpose (making GIFs); it creates a local virtualenv, installs Pillow, may call gifsicle if present, and does not request credentials or attempt network access or unexpected system modifications.
Guidance: This skill appears to do exactly what it says: it creates a local Python virtual environment, installs Pillow, reads the image files you point it at, produces a GIF, and optionally runs the system gifsicle binary (if installed) to compress outputs. Before running: (1) confirm you trust the image source paths you provide (the script will read any files under that path), (2) be aware it will create a .venv inside the skill folder and install Pillow, and (3) if you need gifsicle compression, install gifsicle from your package manager rather than trusting unknown downloads. There is no indication the skill exfiltrates data or requests credentials.

Review Dimensions

Purpose & Capability: okName/description match the code and docs. The skill contains a Python implementation (Pillow) for composing GIFs and an optional call to gifsicle for compression, which is consistent with the described '智能压缩' feature. No unrelated binaries, env vars, or cloud credentials are requested.
Instruction Scope: okSKILL.md and run.sh instruct the agent to create a local venv, install requirements.txt (Pillow), and run make_gif.py with user-supplied paths and options. The runtime actions are limited to reading image files from the provided source path and writing the output GIF; the only external command invoked is gifsicle (if available) for compression. There are no instructions to read unrelated system files, export data, or contact remote endpoints.
Install Mechanism: okThere is no remote download of arbitrary code. run.sh auto-creates a Python venv and pip-installs a single dependency (Pillow) from requirements.txt, which is proportionate to the task. No archives or obscure URLs are fetched, and gifsicle is optional (user-installed or system package).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. It does not attempt to access secrets or unrelated environment variables. The only filesystem write is the local .venv and the user-specified output GIF, which are expected for this functionality.
Persistence & Privilege: okalways is false and the skill does not request permanent elevated presence. It creates a .venv inside its own skill directory (normal) and does not modify other skills or global agent configuration.