Back to skill

Security audit

Gif Search

Security checks across malware telemetry and agentic risk

Overview

This is a Tenor GIF command-line helper with some risky CI helper code, but the risky code is not part of the normal install or GIF-search runtime.

Install only if you are comfortable with your GIF search terms and API key being sent to Tenor. Prefer setting your own TENOR_API_KEY, treat the raw GitHub install URL as mutable, and do not run ci/verify_product.py on untrusted folders unless it is sandboxed. Expect the current code mainly to print GIF/media URLs rather than fully downloading, caching, or converting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
98% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
all_ok &= axis(False, "frontmatter (no SKILL.md)")
        all_ok &= axis(False, "docs (no SKILL.md)")
    # 3 compiles
    comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp],
                                capture_output=True).returncode == 0 for fp in files)
    all_ok &= axis(comp_ok, "compiles (py_compile all .py)")
    # 4 self-test (any of 3 valid forms)
Confidence
91% confidence
Finding
comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp], capture_output=True).returncode == 0 for fp in files)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
99% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises executable behavior involving environment variables, local file access, network access, and shell usage, but it does not declare permissions or clearly scope those capabilities. This is dangerous because agent platforms and users cannot make an informed trust decision, and hidden capability surfaces can enable unintended data exposure, arbitrary downloads, or command execution in higher-privilege environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented purpose is limited to searching and downloading GIFs, but the skill reportedly also includes unrelated CI/deploy validation and additional API behaviors such as trending, random, and metadata lookup. Description-behavior mismatches are risky because they obscure the real attack surface, making reviewers less likely to scrutinize functions that perform unexpected network calls or operational checks.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This finding correctly identifies that the verification harness executes arbitrary Python files from the product under review as part of self-test detection. In the context of analyzing third-party skills, that behavior turns verification itself into an arbitrary-code-execution surface.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The harness both compiles discovered Python files and executes discovered test files unrelated to the advertised GIF-search functionality. This expands the attack surface because any attacker-supplied repository can place malicious files in the folder and have them processed or executed by CI.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill description does not clearly warn that it makes live requests to the Tenor API and downloads files to local storage. While expected for this type of tool, the missing disclosure can still lead users or orchestrators to run it without understanding network egress, API-key use, or local file-write side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The harness executes subprocess-based self-tests automatically without clear disclosure or consent to the operator. In a verification tool handling untrusted skill folders, lack of warning increases the chance that reviewers or CI systems execute attacker-controlled code unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatically discovered test files are executed without explicit user disclosure. That is especially risky here because the target content is untrusted skill code, so operators may not realize verification entails executing arbitrary Python from the reviewed folder.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.