ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

技能查找

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

0· 326·0 current·0 all-time
by@dragon015·duplicate of @robin797860/find-skills-robin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a find-and-install helper for agent skills and the commands it recommends (npx skills find / add) are consistent with that purpose. However the registry metadata and the included _meta.json disagree on ownerId, slug, and version (registry: ownerId kn7ejmm..., slug dragon-find-skills, version 1.0.0; _meta.json: ownerId kn77ajmm..., slug find-skills, version 0.1.0). Those provenance mismatches are unexplained and reduce trust.
Instruction Scope
Instructions stay within scope: they only describe searching and installing skills using the Skills CLI. They recommend running `npx skills add <pkg> -g -y` (global install, skip prompts) which can cause unattended global installation of arbitrary packages — this is an operational risk and should not be done without explicit user approval.
Install Mechanism
The skill is instruction-only (no install spec), so nothing is written by the skill itself. But the runtime commands it recommends use `npx`, which downloads and executes code from the npm ecosystem; that is expected for a skill-installer but is a supply-chain risk and should be done deliberately and with source validation.
Credentials
The skill declares no required environment variables, binaries, or config paths and its instructions don't reference any secrets or unrelated system files. This is proportionate to its stated purpose.
Persistence & Privilege
always is false and there is no install spec, so the skill does not request permanent inclusion. However the skill advises installing other skills globally and unattended; combined with autonomous invocation on the platform, that pattern increases blast radius if the agent executes installs without clear user consent.
What to consider before installing
This skill appears to do what it says (find and install other skills) but two issues warrant caution: (1) the registry metadata in the package files doesn't match the registry listing (mismatched owner/slug/version), which could indicate a packaging or provenance problem — verify the source/author before trusting installs; (2) the instructions recommend using `npx` to install arbitrary packages with `-g -y` (global, unattended). npx installs can execute remote code (supply-chain risk) and skipping confirmation removes a user safety check. Before installing any recommended skill: confirm the exact package name and source, open the package/repository to inspect it, avoid global/unattended installs (omit -g and -y or run in a sandbox), and require explicit user confirmation before running npx commands. If you want me to proceed with a specific install, tell me to do it and I will remind you what will be fetched and ask for approval first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ay77apnkrx1bam2rvmt8tx823wce

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Find Skills

This skill helps you discover and install skills from the open agent skills ecosystem.

When to Use This Skill

Use this skill when the user:

  • Asks "how do I do X" where X might be a common task with an existing skill
  • Says "find a skill for X" or "is there a skill for X"
  • Asks "can you do X" where X is a specialized capability
  • Expresses interest in extending agent capabilities
  • Wants to search for tools, templates, or workflows
  • Mentions they wish they had help with a specific domain (design, testing, deployment, etc.)

What is the Skills CLI?

The Skills CLI (npx skills) is the package manager for the open agent skills ecosystem. Skills are modular packages that extend agent capabilities with specialized knowledge, workflows, and tools.

Key commands:

  • npx skills find [query] - Search for skills interactively or by keyword
  • npx skills add <package> - Install a skill from GitHub or other sources
  • npx skills check - Check for skill updates
  • npx skills update - Update all installed skills

Browse skills at: https://skills.sh/

How to Help Users Find Skills

Step 1: Understand What They Need

When a user asks for help with something, identify:

  1. The domain (e.g., React, testing, design, deployment)
  2. The specific task (e.g., writing tests, creating animations, reviewing PRs)
  3. Whether this is a common enough task that a skill likely exists

Step 2: Search for Skills

Run the find command with a relevant query:

npx skills find [query]

For example:

  • User asks "how do I make my React app faster?" → npx skills find react performance
  • User asks "can you help me with PR reviews?" → npx skills find pr review
  • User asks "I need to create a changelog" → npx skills find changelog

The command will return results like:

Install with npx skills add <owner/repo@skill>

vercel-labs/agent-skills@vercel-react-best-practices
└ https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 3: Present Options to the User

When you find relevant skills, present them to the user with:

  1. The skill name and what it does
  2. The install command they can run
  3. A link to learn more at skills.sh

Example response:

I found a skill that might help! The "vercel-react-best-practices" skill provides
React and Next.js performance optimization guidelines from Vercel Engineering.

To install it:
npx skills add vercel-labs/agent-skills@vercel-react-best-practices

Learn more: https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 4: Offer to Install

If the user wants to proceed, you can install the skill for them:

npx skills add <owner/repo@skill> -g -y

The -g flag installs globally (user-level) and -y skips confirmation prompts.

Common Skill Categories

When searching, consider these common categories:

CategoryExample Queries
Web Developmentreact, nextjs, typescript, css, tailwind
Testingtesting, jest, playwright, e2e
DevOpsdeploy, docker, kubernetes, ci-cd
Documentationdocs, readme, changelog, api-docs
Code Qualityreview, lint, refactor, best-practices
Designui, ux, design-system, accessibility
Productivityworkflow, automation, git

Tips for Effective Searches

  1. Use specific keywords: "react testing" is better than just "testing"
  2. Try alternative terms: If "deploy" doesn't work, try "deployment" or "ci-cd"
  3. Check popular sources: Many skills come from vercel-labs/agent-skills or ComposioHQ/awesome-claude-skills

When No Skills Are Found

If no relevant skills exist:

  1. Acknowledge that no existing skill was found
  2. Offer to help with the task directly using your general capabilities
  3. Suggest the user could create their own skill with npx skills init

Example:

I searched for skills related to "xyz" but didn't find any matches.
I can still help you with this task directly! Would you like me to proceed?

If this is something you do often, you could create your own skill:
npx skills init my-xyz-skill

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…