gifgrep
PassAudited by ClawScan on May 11, 2026.
Overview
The skill’s GIF search purpose is coherent, but it relies on an external gifgrep CLI and optional Tenor/Giphy API keys that users should verify before use.
Before installing, verify the gifgrep CLI source and consider pinning a trusted version. Only provide Tenor or Giphy API keys you are comfortable using, and review download output paths when asking the agent to save GIF files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI may run or later use code that was not part of this skill package review.
The skill depends on installing an external CLI package, and the Go install target is unpinned with '@latest'. This is central to the stated purpose, but the external runtime code is not included in the reviewed artifact.
"package": "github.com/steipete/gifgrep/cmd/gifgrep@latest"
Verify the gifgrep source and install method before use, and prefer a pinned or audited release if available.
If configured, the agent can use those provider API keys when searching GIF services.
The skill may use provider API keys for Giphy and Tenor. That access is purpose-aligned for GIF search and rate limits, and the artifacts do not show leakage or unrelated credential use.
`GIPHY_API_KEY` | Optional for Giphy provider ... `TENOR_API_KEY` | Optional for Tenor provider
Use dedicated, low-privilege API keys where possible and monitor provider usage if the keys are important.