ClawHub

Find Skill

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

13· 12.2k·151 current·157 all-time
by@breckengan·duplicate of @robin797860/find-skills-robin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the SKILL.md: the skill is an instruction-only assistant that uses the 'skills' CLI (npx skills) to find and add skills. However the skill declares no required binaries while the runtime guidance assumes npx/npm is available — a minor mismatch that should be documented or enforced.
!
Instruction Scope
Instructions ask the agent to run 'npx skills find' and 'npx skills add', and to use 'npx skills add <owner/repo@skill> -g -y' to install globally and skip confirmations. That is within the stated purpose (discover/install skills) but grants the agent the ability to download and execute arbitrary third‑party packages silently; the SKILL.md does not instruct reviewing package source or permissions.
Install Mechanism
This skill is instruction-only (no install spec and no code files) which is low-risk. But the recommended install mechanism (npx skills add) will fetch code from remote sources (GitHub/registry) when used — the skill itself does not restrict or advise vetting those downloads.
Credentials
The skill requests no environment variables, credentials, or special config paths — nothing appears disproportionate in declared env/cred requirements.
!
Persistence & Privilege
always is false (good) but the platform default allows autonomous invocation. Combined with instructions to install arbitrary skills (including global, unattended installs), this increases the blast radius: an agent that can run commands could install other skills which themselves can run code. The SKILL.md does not recommend safeguards (user confirmation, sandboxing, review).
What to consider before installing
This skill is what it says: a helper that runs the 'skills' CLI via npx to find and add other skills. Before using it, ensure you: (1) have npx/npm and understand what 'npx skills add' will do on your system; (2) do not allow unattended/global installs (-g -y) unless you trust the package source; (3) review the target skill's repository or package before installing (look for code, maintainer, popularity, and permissions); (4) prefer local or sandboxed installs rather than global installs; and (5) consider disabling autonomous agent installation or requiring explicit user confirmation so the agent cannot silently pull and run third‑party code. If you want, I can show how to manually inspect a candidate skill repo before installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971kq7bdmx892wk6zrhve9m4182dpb6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments