ClawHub

find-skills (jimliuxinghai)

Security checks across malware telemetry and agentic risk

Overview

This is a skill-discovery helper that can install other skills, with the main caution that its recommended install command is global and skips a CLI prompt.

Before installing a recommended skill, review its source and only approve global installs you want available in future sessions. Prefer removing `-y` if you want the CLI confirmation prompt, and ask the agent to help directly when you do not want skill marketplace search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The top-level description uses broad activation cues like 'how do I do X' and 'can you do X', which are common conversational patterns and can cause the skill to trigger in many situations where the user is not actually asking to discover or install a skill. In this context, over-triggering is risky because the skill can steer the agent toward package discovery and installation workflows that may change the user's environment unnecessarily.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The 'When to Use This Skill' section is ambiguous and insufficiently constrained, including generic requests about specialized capabilities, tools, workflows, or domain help. Because this skill's behavior includes recommending and potentially installing third-party skills, vague activation boundaries increase the chance of the agent invoking a package-management path when the user only wanted advice or task help.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends `npx skills add <owner/repo@skill> -g -y`, which performs a global installation and suppresses confirmation prompts, but it does not clearly warn that this modifies the user's system and may install code from external sources. In a skill-discovery context, this is especially dangerous because the workflow normalizes quick installation of third-party packages, reducing friction for potentially unsafe or unintended system changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal