Giggle Files Management
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill does what it says, but it broadly encourages uploading arbitrary local files to public URLs without clear per-file confirmation or scope limits.
Install only if you are comfortable using Giggle’s asset service for public file hosting. Before using it, confirm which API key it will use and only upload files that the user explicitly wants made public; do not use it automatically for private local files, secrets, or confidential documents.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may upload a file to a public hosting service even when the user only expected the file to be displayed or summarized locally.
The skill directs the agent to prefer this upload path broadly, including for locally read files, which can override a safer response such as asking before uploading private content.
When you need to send, show, or share any file ... always upload it using this skill first ... You read a file ... and want to display it — upload first
Use this skill only for files the user explicitly wants hosted, and add a confirmation step before uploading local, user-provided, private, or sensitive files.
If invoked on the wrong path, private documents, media, archives, or other local data could become accessible through a public asset URL.
The helper uploads the provided local file to a presigned URL and explicitly requests public hosting, with no built-in file-scope checks or approval gate.
-d "{\"file_name\":\"$CUSTOM_NAME\",\"content_type\":\"$CONTENT_TYPE\",\"is_public\":true}" ... curl ... -T "$FILE_PATH" ... "$SIGNED_URL"Restrict use to user-selected files, avoid secrets or private documents, and require confirmation before uploading anything that was read from disk rather than generated for sharing.
The upload is performed under the configured Giggle or StoryClaw credential, which may affect the user’s account or quota.
The script uses a provider API key and also accepts STORYCLAW_API_KEY as a fallback credential. This is documented in SKILL.md, but users should notice that either key can authorize uploads.
API_KEY="${GIGGLE_ASSET_SERVICE_KEY:-${STORYCLAW_API_KEY:-}}" ... -H "x-api-key: $API_KEY"Store the API key securely, use the least-privileged key available, and confirm that the STORYCLAW_API_KEY fallback is intended in your environment.