Find Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is transparent about helping users find and install skills, but users should explicitly approve global installs and verify third-party sources.
This skill appears safe to use for discovery. Before letting it install anything, review the skill's source and owner, confirm you want a global user-level install, and be cautious with commands that skip confirmation prompts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected skill could be installed into the user's global agent environment and affect future agent behavior.
This is a user-directed workflow, but it lets the agent run a global install command while bypassing the CLI's confirmation prompt.
If the user wants to proceed, you can install the skill for them: `npx skills add <owner/repo@skill> -g -y`. The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Ask for explicit user approval before installing, show the exact package/source, and avoid `-y` unless the user has clearly approved skipping prompts.
Installing an untrusted skill could introduce unsafe instructions or tools into the user's agent setup.
The skill's core workflow depends on installing third-party skills from external sources. This is expected for the purpose, but provenance and trust still matter.
`npx skills add <package>` - Install a skill from GitHub or other sources
Review the skill page, repository, owner, and permissions before installing any third-party skill.
Users may have a harder time confirming the exact package identity and version they are reviewing.
This packaged metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. That is not malicious behavior by itself, but it creates a provenance/version clarity issue.
"ownerId": "kn77ajmmqw3cgnc3ay1x3e0ccd805hsw", "slug": "find-skills", "version": "0.1.0"
The publisher should align registry and packaged metadata; users should verify they are installing the intended skill.