Back to skill
Skillv1.0.1
ClawScan security
Gifgrep · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions and install hints are consistent with a GIF search/download tool; the only issues are minor metadata mismatches in the registry (env/binary requirements not declared there).
- Guidance
- This skill appears to do what it says — a CLI/TUI for searching and downloading GIFs. Before installing/using it: 1) Note that SKILL.md expects the gifgrep binary; install via the listed Homebrew formula or Go module and verify those upstream sources (brew tap and GitHub repo) yourself. 2) If you want Giphy results you must provide a GIPHY_API_KEY; only give keys with appropriate scope and from a trusted account. Tenor works with a demo key by default. 3) The registry metadata you were shown omitted the binary/env requirements — confirm the platform will surface the SKILL.md requirements to you at install time. 4) Since the skill works by invoking an external binary, review that binary's source/release and checksums where possible (and the brew tap/GitHub repo) before trusting it. 5) The tool writes downloads to ~/Downloads and can reveal files in Finder; it does not request unrelated system data in the instructions. If you want stronger assurance, review the gifgrep project's source code and releases directly.
Review Dimensions
- Purpose & Capability
- noteSKILL.md describes a CLI/TUI tool (gifgrep) that searches GIF providers, downloads results, and extracts stills/sheets. The instructions and declared install options (brew formula and Go module pointing to github.com/steipete/gifgrep) match that purpose. However, the registry metadata summary provided to you earlier said no required binaries/env vars, while SKILL.md metadata requires the gifgrep binary and documents GIPHY_API_KEY/TENOR_API_KEY — a metadata mismatch worth noting.
- Instruction Scope
- okThe instructions tell the agent to run gifgrep commands, optionally write downloads to ~/Downloads, and reveal files in Finder; they do not instruct reading unrelated system files, sweeping env variables, or transmitting data to unexpected endpoints. Environment tweaks are limited to gifgrep-specific variables.
- Install Mechanism
- okInstall options are standard: a Homebrew formula (steipete/tap/gifgrep) and a Go module (github.com/steipete/gifgrep/cmd/gifgrep@latest). Both are traceable to public package sources/GitHub rather than arbitrary download URLs or opaque archives.
- Credentials
- noteSKILL.md documents GIPHY_API_KEY (required for --source giphy) and TENOR_API_KEY (optional); these are proportional to the stated functionality. The earlier registry metadata claiming no required env vars conflicts with SKILL.md — verify which metadata the platform will rely on and be prepared to supply a provider API key if you want Giphy support.
- Persistence & Privilege
- okThe skill is instruction-only (no code files bundled) and does not request always: true or any elevated/persistent system privileges. It does not modify other skills' configs or request system-wide credentials.