Find Skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A skill installed this way can affect future agent behavior across the user’s environment.
The skill documents a command that can modify the user’s installed agent skills globally and bypass the CLI’s confirmation prompt. This is aligned with the stated install-helper purpose, but it should require clear user approval of the exact package.
npx skills add <owner/repo@skill> -g -y The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Before installing, confirm the exact skill name, source, and expected behavior; consider avoiding `-y` unless the user has already reviewed the install details.
Installing an untrusted or low-quality skill could add unsafe instructions or capabilities to the agent.
The skill directs use of an external package manager to install third-party skills from GitHub or other sources. The instructions include reputation checks, which helps, but third-party skill installation remains a supply-chain consideration.
`npx skills add <package>` - Install a skill from GitHub or other sources
Prefer reputable sources, inspect the skill’s contents and permissions, and avoid installing unknown skills solely based on search results or popularity.