Giphy
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: giphy Version: 1.0.7 The skill bundle is benign. It describes a Giphy search and send skill, requiring a `GIPHY_API_KEY` for its functionality. The `SKILL.md` provides clear instructions for the AI agent on when and how to use the Giphy API, including the specific endpoint `https://api.giphy.com/v1/gifs/search`. There is no evidence of data exfiltration beyond the necessary API key, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's core function or access unrelated sensitive data. All instructions and API calls are directly aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may occasionally add a GIF to a Discord conversation on its own, which could be unwanted in some channels or serious discussions.
The skill can lead the agent to post a GIF URL in Discord without a direct user request, but the behavior is disclosed, purpose-aligned, and limited to occasional fitting moments.
Also allow proactive GIFs (without explicit request) when the moment clearly fits
Use this skill only where light visual reactions are appropriate, and prefer asking before posting if the channel context is sensitive or formal.
A Giphy API key must be available to the agent environment for the skill to work.
The skill requires a service API key. This is expected for Giphy API access and the artifact does not show logging, hardcoding, or unrelated credential use.
This skill reads only one variable: `GIPHY_API_KEY`.
Use a dedicated Giphy API key, avoid sharing it in chat, and consider having the registry metadata declare the env var for clearer setup.
GIF keywords or short context used as the search query may be sent to Giphy.
The skill sends the user's GIF search intent to the external Giphy API. This is necessary for the purpose, but it is still an external data flow.
Build a Giphy Search API URL with user intent as query.
Avoid using sensitive, private, or identifying text as GIF search queries.