openclaw-whatsapp-gif
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and purpose-aligned for finding a safe GIF and sending one WhatsApp reaction, but users should notice that it can send media to chats and may use provider keys, local cache, and optional logs.
This skill appears safe for its advertised purpose, but install it only if you are comfortable with the agent sending one GIF to WhatsApp chats, contacting Tenor/Giphy, and caching downloaded media locally. Keep telemetry off unless you need it, and confirm before using GIFs in sensitive or formal conversations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send a GIF to a WhatsApp recipient rather than only suggesting one.
The skill is explicitly designed to send media into a WhatsApp chat. This is purpose-aligned and bounded, but it is an external action performed through the user's messaging context.
Use when the user asks for a GIF/meme/reaction, or when a short visual reaction is better than plain text... Send top result with `message` tool to WhatsApp
Use it when the recipient and chat context are clear, and consider requiring confirmation before sending in formal, sensitive, or high-stakes conversations.
If these keys are present in the environment, the skill can use them for GIF searches.
The skill can use provider API keys to query GIF services. This is expected for Tenor/Giphy integration and the artifacts do not show hardcoded keys, unrelated credential use, or logging of the keys.
Reads `TENOR_API_KEY` and/or `GIPHY_API_KEY`.
Use provider-scoped keys only, avoid placing unrelated secrets in the environment, and rotate keys if you suspect exposure.
GIF search terms and selected media URLs may remain on disk if logging is enabled.
When telemetry is enabled by policy, CLI flag, or log-file option, the script persists the GIF query, selected URL, errors, and delivery mode to a local log.
if telemetry_enabled: ... f.write(json.dumps({"ts": int(time.time()), "query": args.query, "selected": (selected or {}).get("url"), "errors": errors, "mode": args.delivery_mode}) + "\n")Leave telemetry disabled unless needed, choose a safe log location if enabling it, and periodically delete logs and cached media.
It may be harder to independently verify the maintainer or original source of the skill.
The artifact set does not provide an upstream source or homepage. There is no remote install mechanism shown, but provenance is less transparent.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only from a trusted registry entry and review included scripts before use, especially after updates.