Skillv1.0.0

ClawScan security

find-skills-wzr-999 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 7:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with a 'find and install skills' purpose but it omits that it requires npx/node and encourages global, unattended installs (npx + -g -y), which is risky and mismatched with the declared requirements.
Guidance: This skill is basically a helper that tells the agent to run `npx skills` to search for and install other skills. Before installing or allowing it to run: (1) be aware `npx` will download and run code from remote package sources — only install packages you trust and inspect their repo when possible; (2) the SKILL.md recommends `-g -y` which performs global, unattended installs — avoid automatic `-y` global installs or require explicit confirmation; (3) the skill metadata does not declare that Node/npm/npx are required — expect Node to be needed at runtime; (4) do not run installs as root; (5) consider asking the agent to show the exact package repo and README before installing, or to run installs locally (without -g) so you can review them. If the publisher or homepage cannot be verified, treat installs as higher risk.

Review Dimensions

Purpose & Capability: noteThe SKILL.md explicitly instructs use of the Skills CLI via `npx skills` (which requires Node/npm/npx and network access) and explains install commands. However, the skill metadata declares no required binaries or environment variables — a minor incoherence because npx is effectively required to perform the described actions.
Instruction Scope: concernInstructions direct the agent to run `npx skills find` and (if the user agrees) `npx skills add <pkg> -g -y`. That is consistent with 'discover and install skills', but `npx` will fetch and execute remote packages from npm/GitHub and `-g -y` performs global, unattended installs. The instructions therefore allow downloading and installing arbitrary third-party code without explicit user confirmation beyond the initial opt-in, which expands the runtime surface beyond simple search.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk in itself. But runtime behavior relies on package downloads via npx/npm (network pulls of third-party packages). The metadata does not declare this dependency, and the SKILL.md promotes global installs; these factors increase execution risk even though no install script is embedded in the skill bundle.
Credentials: okThe skill does not request any secrets, credentials, or config paths. It stays within expected scope for a discovery/install helper and does not ask for unrelated environment variables.
Persistence & Privilege: okalways is false and the skill does not request persistent or cross-skill configuration. Autonomous invocation is allowed (default) but that is expected for skills; nothing here demands elevated or permanent privileges.