ClawHub

Skills.sh Search

v1.0.4

Search skills.sh registry from CLI. Find and discover agent skills from the skills.sh ecosystem.

19· 6.7k·43 current·44 all-time
bySeth Rose@thesethrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation. The CLI only fetches https://skills.sh/api/skills and filters/displays results. Requiring the 'node' binary is appropriate. Minor note: package.json version (1.0.0) differs from SKILL.md metadata (1.0.4), but this is a metadata inconsistency rather than a security concern.
Instruction Scope
SKILL.md instructions stick to searching, showing popular skills, and guiding installation via clawdhub/npx. The instructions do not ask the agent to read local secrets, unrelated files, or transmit data to third parties beyond skills.sh. The TUI guidance to select the Clawdbot agent is explicit and scoped to installation.
Install Mechanism
No install spec is provided (instruction-only), and included code is a small CLI that uses Node's built-in https module. There are no downloads from arbitrary URLs or archive extraction. The README suggests using npx/clawdhub which runs remote code—standard for JS CLIs—but users should understand npx executes published package code.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not attempt to access unrelated secrets or system configs.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. It instructs installation into Clawdbot's workspace but does not modify other skills or system settings.
Assessment
This skill appears to do exactly what it claims: query the skills.sh API and display results. Before installing, verify the package source (the repository and author) if you plan to run via npx, since npx executes remote code. The SKILL.md and cli.js contain no attempts to read credentials or local files. If you prefer extra caution, review the small cli.js file yourself or install from a vetted repository release rather than running with npx. Also note the small version mismatch between SKILL.md and package.json — a sign to confirm you have the expected release.

Like a lobster shell, security has layers — review code before you run it.

latestvk979s197m1jw7054jk7zv07zd57znb9p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments