ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gifgrep

v1.0.2

Search GIF providers with CLI/TUI, download results, and extract stills/sheets.

0· 93·0 current·0 all-time
by@utromaya-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the behavior: the skill simply invokes the gifgrep CLI to search/browse/download GIFs. The declared install methods (brew formula and Go module for github.com/steipete/gifgrep) are appropriate for delivering a gifgrep binary.
!
Instruction Scope
SKILL.md explicitly instructs the agent to run gifgrep commands to search, download (to ~/Downloads), reveal in Finder, and extract stills/sheets. Those actions are within the stated purpose. However, the instructions also reference environment variables (GIPHY_API_KEY required for giphy; TENOR_API_KEY optionally) and other runtime env toggles that are not listed in the skill's declared requirements — this is a mismatch and could surprise users when keys are requested or used.
Install Mechanism
Installers are standard package sources: a Homebrew formula (steipete/tap/gifgrep) and a go module (github.com/steipete/gifgrep/cmd/gifgrep@latest). Neither uses arbitrary URLs or archive extraction. This is a low-risk, expected install surface for a CLI tool.
!
Credentials
The registry metadata lists no required environment variables, but the SKILL.md requires/mentions GIPHY_API_KEY (required for Giphy) and TENOR_API_KEY (optional). Asking for API keys for the GIF providers is proportionate to functionality, but the omission from metadata is a discrepancy that could lead to unexpected prompts or requests for secrets.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does perform file writes (saves downloads to ~/Downloads) and may call Finder to reveal files — expected behavior for a download tool and within its scope. Autonomous invocation is allowed (default) but not combined with unusual privileges.
What to consider before installing
This skill appears to be a thin wrapper around the gifgrep CLI and the install sources look legitimate (Homebrew + Go). However: (1) SKILL.md references GIPHY_API_KEY and TENOR_API_KEY but the registry metadata does not declare them — expect the tool to ask for or require those keys at runtime if you use the Giphy/Tenor sources. (2) Verify the Homebrew tap (steipete/tap) and the Go module repo (github.com/steipete/gifgrep) yourself before installing to ensure you trust the upstream project. (3) Be aware downloads are saved to ~/Downloads and the tool can open Finder to reveal files — grant only the filesystem access you are comfortable with. (4) Because this is instruction-only (no code bundled), the registry scanner had nothing to analyze; if you need higher assurance, inspect the upstream source code or test the binary in a sandboxed environment before providing any API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk973frw40n210by9t2hn0vdr9d83d44c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧲 Clawdis
Binsgifgrep

Install

Install gifgrep (brew)
Bins: gifgrep
brew install steipete/tap/gifgrep
Install gifgrep (go)
Bins: gifgrep
go install github.com/steipete/gifgrep/cmd/gifgrep@latest

Comments