GifGrep (tc)

PassAudited by ClawScan on May 11, 2026.

Overview

GifGrep appears to be a straightforward GIF search and processing skill, but it relies on an external CLI and optional Tenor/Giphy API keys that users should verify and protect.

This skill looks purpose-aligned. Before using it, verify the external gifgrep CLI source, consider pinning the Go/Homebrew install, provide only appropriate Tenor or Giphy API keys, and save downloads to safe workspace paths.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill's CLI dependency may run code from an external Homebrew tap or Go module that was not reviewed here.

Why it was flagged

The skill depends on externally installed code, and the Go install reference uses '@latest' rather than a pinned version. This is normal for a CLI-based GIF tool, but the code is outside the provided scan artifacts.

Skill content

"install": [{ "type": "homebrew", "package": "steipete/tap/gifgrep" }, { "type": "go", "package": "github.com/steipete/gifgrep/cmd/gifgrep@latest" }]

Recommendation

Verify the gifgrep source before installing, prefer pinned versions where possible, and install from a trusted environment.

Low

#ASI03: Identity and Privilege Abuse

What this means

Provider API keys could be used to authenticate searches and consume API quota under your account.

Why it was flagged

The skill may use provider API keys for Giphy and Tenor. This is expected for the stated provider integrations and there is no evidence of credential logging or unrelated use.

Skill content

`GIPHY_API_KEY` | Optional for Giphy provider ... `TENOR_API_KEY` | Optional for Tenor provider

Recommendation

Use only the intended Tenor/Giphy keys, avoid sharing higher-privilege secrets, and rotate keys if they are exposed.

Info

#ASI02: Tool Misuse and Exploitation

What this means

The agent may create or overwrite local media files if directed to use an existing output path.

Why it was flagged

The skill supports downloading and writing GIF/image output files to caller-supplied paths. This is central to the stated purpose and the examples use workspace-style paths.

Skill content

"download": true, "output_path": "/workspace/downloads/birthday.gif"

Recommendation

Use safe output directories and review paths before downloading or generating files.