@kanyun/rush-reskill-usage
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only guide for reskill; it is not inherently unsafe, but it describes commands that can install, remove, or publish agent skills and run an external CLI.
Install this skill only if you want the agent to help with reskill package-management tasks. Before running commands, verify the npm package and registry, avoid --yes/--all/global operations unless you intend broad changes, and confirm any login or publish action with the exact account and registry.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could change the skills available to the user's agents or publish something to a registry.
The guide documents commands and options that can change installed agent skills, publish content, apply changes globally or to all agents, and bypass confirmations. This is expected for a package-manager guide, but these are high-impact operations if used without user approval.
`install`, `update`, `uninstall`, `publish` ... `-g, --global` ... `--all` ... `-y, --yes` Skip confirmation prompts
Use install, uninstall, update, publish, --global, --all, and --yes only after explicit user confirmation and with the target skill, registry, and agent scope clearly identified.
The user may run third-party package-manager code and install skills from external sources, which can affect the local agent environment.
The guide recommends installing or executing an external npm CLI and using a default public registry. That is central to the skill's purpose, but unpinned latest-version execution and third-party registries require provenance checks.
`npm install -g reskill` ... `npx reskill@latest` ... Default: `https://rush.zhenguanyu.com/`
Verify the reskill package and registry before use, prefer pinned versions where practical, and avoid running npx/latest or global installs from untrusted sources.
If the agent logs in or publishes with the wrong account or registry, it could use the user's registry permissions unintentionally.
The documented registry commands may use and store authentication for publishing. This is expected for registry workflows, but it introduces account authority.
`login` Authenticate with the registry ... `publish [path]` Publish a skill to the registry ... `logout` Remove stored authentication
Confirm the target registry and account before login or publish, and log out or revoke tokens when no longer needed.