ClawHub
Back to skill
v1.0.2

Gifgrep

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

Gifgrep appears to be a coherent GIF search and download helper, with normal cautions around installing an external CLI, using provider API keys, and sending searches to Tenor or Giphy.

GuidanceBefore installing, verify that you trust the gifgrep package source, use limited provider API keys if needed, and avoid putting confidential information into GIF search queries.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
"formula": "steipete/tap/gifgrep" ... "module": "github.com/steipete/gifgrep/cmd/gifgrep@latest"

The skill installs a third-party CLI through a Homebrew tap or an unpinned Go module. This is disclosed and central to the skill, but users should verify the source.

User impactInstalling the skill means trusting the external gifgrep package that the installer fetches.
RecommendationInstall only if you trust the gifgrep project and installer source; prefer a pinned or verified release if available.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
`--download` saves to `~/Downloads`; `--reveal` shows the last download in Finder

The CLI can write downloaded GIFs to the user's Downloads folder and reveal them in the file manager. This is disclosed and purpose-aligned.

User impactIf invoked to download results, the agent may create files in your Downloads folder.
RecommendationUse download options intentionally and review downloaded GIFs before opening or sharing them.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
`GIPHY_API_KEY` required for `--source giphy`; `TENOR_API_KEY` optional

The skill may use provider API keys for Giphy or Tenor access. This is expected for provider integrations, but the registry metadata does not declare required credentials.

User impactSearches made with provider-specific API keys may count against or be associated with those provider accounts.
RecommendationUse restricted provider API keys where possible and set them only when you intend to use those providers.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
SKILL.md
Use `gifgrep` to search GIF providers (Tenor/Giphy)

The skill's core function sends search terms to external GIF providers. This is clearly disclosed and purpose-aligned.

User impactPrivate or sensitive search phrases could be sent to Tenor or Giphy if used as queries.
RecommendationAvoid using sensitive, confidential, or personal information in GIF search queries.