Find Skills - 查找技能
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a normal ClawHub skill search helper, with disclosed file/stdin query input and an explicit install option that should be used carefully.
This skill is reasonable for searching and checking ClawHub skills. Before installing, make sure you trust the local clawhub CLI, avoid using sensitive files as search input, and only use --execute after reviewing the skill you plan to install.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a sensitive local file is used as the search query, its contents could be exposed through the ClawHub search workflow.
The skill documents that search input can come from a file or stdin and that the resulting query is passed to the ClawHub CLI. This is purpose-aligned, but users should avoid pointing it at sensitive files.
输入:普通字符串、`{"q":"…"}`、`@文件`、stdin `-`。... 发给 `clawhub` 仍是**原查询**。Use ordinary search terms where possible, and do not use @file or stdin with secrets, credentials, private documents, or other sensitive content.
Installing another skill may add new code, permissions, or behavior to the agent environment.
The skill can invoke installation of another ClawHub skill when explicitly run with --execute. The default dry-run behavior is a useful guardrail, but installing skills changes the agent environment.
`install` | 默认 dry run,`--execute` 真装
Keep the dry-run default unless you intend to install, and review the target skill’s artifacts and permissions before using --execute.