find-skills

The skill provides instructions for the agent to search for and install third-party packages using the 'npx skills' CLI. It is classified as suspicious due to a potential shell injection vulnerability in the 'npx skills find [query]' command and the instruction to use the '-y' flag in SKILL.md, which bypasses user confirmation during global software installation. While these behaviors are aligned with the skill's stated purpose as a package manager, they represent significant security risks if the agent processes unvalidated user input.