slack-gif-creator
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides legitimate utility functions for image processing and animation assembly. It includes core logic for color quantization, frame deduplication, and size validation to meet Slack's technical requirements.
- [EXTERNAL_DOWNLOADS]: The skill's
requirements.txtfile specifies well-known, reputable Python libraries (Pillow, imageio, numpy, and imageio-ffmpeg). These are standard dependencies for media processing tasks and are fetched from the official Python Package Index (PyPI). - [COMMAND_EXECUTION]: The codebase was audited for unsafe execution patterns; no instances of
eval(),exec(), or dangeroussubprocesscalls were found. The scripts focus exclusively on manipulating image data using the Pillow and imageio APIs. - [DATA_EXPOSURE]: The skill accesses system-level font paths (e.g.,
/System/Library/Fonts/on macOS orC:\Windows\Fonts\on Windows) to render text and emojis. This is standard, non-malicious behavior required for the functioning of the Pillow library's text rendering engine. - [INDIRECT_PROMPT_INJECTION]: The skill has an ingestion surface for untrusted data, as it is designed to render user-provided text and descriptions into GIFs.
- Ingestion points: User-supplied strings passed to the
draw_text_with_outlineanddraw_emoji_enhancedfunctions incore/typography.pyandcore/frame_composer.py. - Boundary markers: Not present in the provided library code.
- Capability inventory: The skill can write files to the local disk using
imageio.imwriteincore/gif_builder.py. - Sanitization: None, as the tool is intended to render the literal text provided by the user.
- Risk Assessment: The risk is minimal as the input is treated as static text for rendering and is not interpreted as code or logic.
Audit Metadata