@kanyun/rush-find-skills
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent skill-discovery helper, but it uses an external package manager and registry, so users should verify sources and approve installs carefully.
This skill is reasonable for finding other skills, but treat it like a package manager: verify the registry, publisher, package name, and version before approving installs, and prefer a trusted local reskill installation over automatically running npx reskill@latest.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves an install, the agent may gain new persistent capabilities from another skill.
The skill documents commands that can install other agent skills, which can change agent behavior. This is expected for the stated purpose, and the artifact includes a user-approval step before installation.
`reskill install <ref>` — Install a skill ... `Search → Present → Ask → Install` — always show results first, ask the user before installing.
Review search results, registry, publisher, and skill name before approving any installation.
Running an unpinned CLI can execute code from the current npm package version, and future changes to that package could affect behavior.
The skill relies on an external npm-distributed CLI, and the fallback uses the unpinned latest version. This is disclosed and central to the package-manager purpose, but it creates normal supply-chain risk.
`npm install -g reskill` ... `npx reskill@latest` can be used as a fallback.
Prefer a trusted local installation, pin versions where possible, and verify the reskill package source before use.
The package identity and version are less clear than ideal, making it harder to verify exactly which artifact is being installed.
The SKILL.md frontmatter identity differs from the supplied registry metadata, which lists @kanyun/rush-find-skills version 0.3.2. The purpose still aligns, but the mismatch is a provenance detail users should notice.
name: clawdhub-find-skills ... version: 0.4.0 ... author: reskill
Confirm the registry listing, owner, version, and source before relying on the skill.