Find Skill
v1.0.4智能搜索和发现技能包,支持中英双语、多来源,按关键词、标签及作者快速定位所需技能。
⭐ 1· 258·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code: this is a skills search/discovery tool. It requires no credentials and only performs HTTP requests to skill indexes and mirrors. Minor inconsistencies: SKILL.md lists Fuse.js and TypeScript in the tech stack, but package.json only depends on axios and the repository is plain JS, not TypeScript. These are likely documentation mismatches rather than functional issues.
Instruction Scope
Runtime instructions are CLI-oriented and the code follows that scope. The implementation issues network calls to clawhub.ai and an external mirror at https://skills.volces.com/api/v1/search to fetch results; it caches results locally. There are no instructions or code paths that read local secrets, system config, or other unrelated files in the provided files. The use of an external mirror (not documented in SKILL.md) is worth noting.
Install Mechanism
No install spec is provided in SKILL.md/registry metadata (instruction-only), but the package contains source files and package.json (depends on axios). That mismatch means the skill will require Node.js/npm to run but the registry metadata doesn't declare an install process. Also SKILL.md mentions Fuse.js which is not present in package.json—this inconsistency may break runtime fuzzy-search features unless the missing dependency is added.
Credentials
The skill declares no required environment variables, no credentials, and no protected config paths. Its network requests are to public HTTP endpoints and it uses local in-memory caching. No secrets access is requested or evident in the code provided.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configuration in the provided code, and has no special persistence or elevated privileges. It behaves like a normal CLI/network client.
Assessment
This skill is internally consistent with being a search/discovery tool and does not request credentials. Before installing or running it: 1) note it will make outbound HTTPS requests to clawhub.ai and to an external mirror at skills.volces.com — verify you trust those hosts (network egress). 2) The repository mentions Fuse.js/TypeScript but package.json only lists axios; ensure required dependencies are installed or add missing packages before running. 3) Because there is no declared install spec, run it in a controlled environment (container or VM) and inspect the remaining truncated files not shown here for any other network endpoints or unexpected behavior. If you need zero network egress, do not install or run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976a11cjgb7662sd0skw4wdbx84cy9k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.