@kanyun/rush-reskill-usage
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: rush-reskill-usage Version: 0.1.1 The skill bundle is a legitimate usage guide for 'reskill', a Git-based package manager for AI agent skills. It provides comprehensive instructions for CLI commands, configuration via skills.json, and multi-agent integration (e.g., Cursor, Claude Code). While it directs the agent to use a specific default registry (https://rush.zhenguanyu.com/) and recommends installing a CLI tool via npm, these actions are entirely consistent with the stated purpose of the skill and show no evidence of malicious intent, data exfiltration, or hidden prompt-injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could change the skills available to the user's agents or publish something to a registry.
The guide documents commands and options that can change installed agent skills, publish content, apply changes globally or to all agents, and bypass confirmations. This is expected for a package-manager guide, but these are high-impact operations if used without user approval.
`install`, `update`, `uninstall`, `publish` ... `-g, --global` ... `--all` ... `-y, --yes` Skip confirmation prompts
Use install, uninstall, update, publish, --global, --all, and --yes only after explicit user confirmation and with the target skill, registry, and agent scope clearly identified.
The user may run third-party package-manager code and install skills from external sources, which can affect the local agent environment.
The guide recommends installing or executing an external npm CLI and using a default public registry. That is central to the skill's purpose, but unpinned latest-version execution and third-party registries require provenance checks.
`npm install -g reskill` ... `npx reskill@latest` ... Default: `https://rush.zhenguanyu.com/`
Verify the reskill package and registry before use, prefer pinned versions where practical, and avoid running npx/latest or global installs from untrusted sources.
If the agent logs in or publishes with the wrong account or registry, it could use the user's registry permissions unintentionally.
The documented registry commands may use and store authentication for publishing. This is expected for registry workflows, but it introduces account authority.
`login` Authenticate with the registry ... `publish [path]` Publish a skill to the registry ... `logout` Remove stored authentication
Confirm the target registry and account before login or publish, and log out or revoke tokens when no longer needed.