find-skills-combo
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated purpose, but its SKILL.md contains hidden Unicode control characters and it documents commands that can globally install or update skills.
Before installing, inspect the raw SKILL.md for hidden Unicode characters and remove them. If you use the skill, treat its install and update recommendations as high-impact changes: approve each skill individually, avoid global/no-confirm installs unless you really intend them, and verify the source of every recommended skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could see or interpret the skill instructions differently than intended if the raw file contains display-changing characters.
Invisible Unicode control characters can make the raw instruction text display differently from what a reviewer or user expects. The neutralized artifact does not show a malicious payload, but the hidden formatting is not purpose-aligned.
Pre-scan injection signals: unicode-control-chars; controlCharactersRemoved: 4
Inspect the raw SKILL.md, remove all invisible control characters, and reinstall only after confirming the visible instructions match the raw contents.
If used carelessly, the agent could install or update skills persistently, including more skills than the user intended.
These commands are related to the skill's purpose, but global installation, skipped confirmation, and updating all installed skills can modify the agent environment beyond a simple recommendation.
`npx skills add <package> -g -y` — Install globally, skip confirmation; `npx skills update` — Update all installed skills
Require explicit user approval before any install or update, avoid `-y` unless the user specifically requests it, and review each proposed skill before installation.
Installing recommended skills could bring in unreviewed third-party instructions or code.
The skill's intended function involves discovering and installing third-party skills. That is purpose-aligned, but it introduces normal supply-chain risk from external packages.
`npx skills add <package>` — Install a skill from GitHub or other sources
Prefer well-known sources, review package provenance and permissions, and install only the specific skills the user approves.