Giggle Files Management
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill uploads files as advertised, but it tells the agent to automatically upload any file it wants to show, which could make private local files public without clear confirmation.
Install only if you are comfortable with the agent uploading selected files to Giggle and receiving public URLs. Before use, make sure the agent asks before uploading existing local files, especially documents, screenshots, archives, or anything containing personal or confidential information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A private document, image, or other local file could be uploaded to a public asset service just because the agent wants to show it to the user.
The skill directs the agent to upload any file it wants to display or share, including locally read files, and the result is a public URL. This is broader than user-directed file hosting and lacks an explicit confirmation step for potentially private files.
Returns a **public URL** ... "When you need to send, show, or share any file ... always upload it using this skill first" ... "You read a file ... upload first"
Only upload files the user explicitly selects or approves, clearly warn that the file will become public, and add scope limits or sensitive-file checks before upload.
Anyone using this skill with your API key can create public assets under the associated service account.
The script uses a provider API key to create and register uploaded assets. This is expected for the integration, but it means the skill acts under that account's authority.
API_KEY="${GIGGLE_ASSET_SERVICE_KEY:-${STORYCLAW_API_KEY:-}}" ... -H "x-api-key: $API_KEY"Use a dedicated, least-privileged API key if available, keep it out of logs and shared environments, and rotate it if it may have been exposed.