ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills

v1.0.0

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

6· 8.6k·56 current·62 all-time
by@isainazar
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md shows how to search for and install skills using the Skills CLI (npx skills and skills.sh). There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
Instructions stay within the declared purpose (search and install skills). They do not ask the agent to read unrelated files or secrets. However, the SKILL.md explicitly recommends running npx skills add with -g -y (global and auto-confirm), which will download and execute third-party code; that expands what happens at runtime beyond a benign read/search action.
!
Install Mechanism
No install spec is provided (instruction-only), but the skill tells users/agents to run npx to fetch and install packages from GitHub/npm. npx installs can execute arbitrary code (including postinstall scripts). The recommended global (-g) and -y flags further reduce confirmation/safety. This is expected functionality for an installer, but it is a higher-risk action and should be treated with care.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no disproportionate credential or environment access requested by the SKILL.md content.
Persistence & Privilege
always is false and the skill does not request persistent presence or system-level configuration changes by itself. Note: disable-model-invocation is false (normal), so an agent could run the npx commands autonomously if granted that ability — this is platform-default behavior, not unique to this skill.
Assessment
This skill is internally consistent: it instructs the agent to search and install other skills using the Skills CLI. The main risk is the install step — npx skills add will download and run third-party code (and the SKILL.md even recommends -g -y to auto-confirm global installs). Before installing a discovered skill, inspect its repository (README, package.json, any install/postinstall scripts), prefer installing in a sandbox or non-production environment, avoid global installs on sensitive machines, and only install skills from sources you trust. If you don't want the agent to run installs autonomously, disable autonomous invocation for this skill or require explicit user confirmation before running npx commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk971qj3a4fnxng0c7fdg1s1hs5828mbq
8.6kdownloads
6stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@isainazar
latest
Download

Find Skills

Discover and install skills from the open agent skills ecosystem using the Skills CLI (npx skills).

Skills CLI Commands

npx skills find [query]    # Search for skills interactively or by keyword
npx skills add <package>   # Install a skill from GitHub or other sources
npx skills check           # Check for skill updates
npx skills update          # Update all installed skills

Browse skills at: https://skills.sh/

How to Help Users Find Skills

Step 1: Understand What They Need

Identify:

  • The domain (e.g., React, testing, design, deployment)
  • The specific task (e.g., writing tests, creating animations, reviewing PRs)
  • Whether this is a common enough task that a skill likely exists

Step 2: Search for Skills

npx skills find [query]

Examples:

  • "how do I make my React app faster?" → npx skills find react performance
  • "can you help me with PR reviews?" → npx skills find pr review
  • "I need to create a changelog" → npx skills find changelog

Results format:

Install with npx skills add <owner/repo@skill>

vercel-labs/agent-skills@vercel-react-best-practices
└ https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 3: Present Options to the User

Include:

  • The skill name and what it does
  • The install command
  • A link to learn more at skills.sh

Example:

I found a skill that might help! The "vercel-react-best-practices" skill provides
React and Next.js performance optimization guidelines from Vercel Engineering.

To install it:
npx skills add vercel-labs/agent-skills@vercel-react-best-practices

Learn more: https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 4: Offer to Install

Install with global flag and auto-confirm:

npx skills add <owner/repo@skill> -g -y

Common Skill Categories

CategoryExample Queries
Web Developmentreact, nextjs, typescript, css, tailwind
Testingtesting, jest, playwright, e2e
DevOpsdeploy, docker, kubernetes, ci-cd
Documentationdocs, readme, changelog, api-docs
Code Qualityreview, lint, refactor, best-practices
Designui, ux, design-system, accessibility
Productivityworkflow, automation, git

Tips for Effective Searches

  • Use specific keywords: "react testing" is better than just "testing"
  • Try alternative terms: If "deploy" doesn't work, try "deployment" or "ci-cd"
  • Check popular sources: vercel-labs/agent-skills or ComposioHQ/awesome-claude-skills

When No Skills Are Found

If no relevant skills exist:

  1. Acknowledge that no existing skill was found
  2. Offer to help with the task directly using general capabilities
  3. Suggest creating a custom skill with npx skills init
I searched for skills related to "xyz" but didn't find any matches.
I can still help you with this task directly! Would you like me to proceed?

If this is something you do often, you could create your own skill:
npx skills init my-xyz-skill

Comments

Loading comments...