gifgrep
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill's installation process targets the third-party Homebrew tap 'steipete/tap/gifgrep' and the Go module 'github.com/steipete/gifgrep/cmd/gifgrep@latest'. These sources do not belong to the list of Trusted GitHub Organizations or Repositories.
- COMMAND_EXECUTION (LOW): The skill is designed to run the 'gifgrep' binary with user-provided arguments, creating a dependency on the integrity of the downloaded third-party executable.
- INDIRECT_PROMPT_INJECTION (LOW): The skill processes data from external providers (Tenor, Giphy) which could contain malicious metadata.
- Ingestion points: GIF titles, tags, and provider descriptions.
- Boundary markers: Absent in skill instructions.
- Capability inventory: Writing files to '~/Downloads', image manipulation (stills/sheets).
- Sanitization: No sanitization of external metadata is mentioned.
- CREDENTIALS_UNSAFE (SAFE): The skill uses environment variables for API keys (GIPHY_API_KEY) and does not contain hardcoded secrets.
Audit Metadata