ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skill HEQI

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

0· 69·0 current·0 all-time
by@kylinjackson·duplicate of find-skills-2·canonical: @jimliuxinghai/find-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes discovering and installing skills and explicitly instructs using the 'npx skills' CLI and skills.sh. There are no unrelated required env vars, binaries, or config paths. The commands and guidance align with the stated purpose.
Instruction Scope
Instructions tell the agent to run 'npx skills find' and 'npx skills add' (including a global install example using '-g -y'). This stays within the skill-discovery scope, but it advises skipping confirmation and performing global installs without suggesting provenance checks. The document does not declare that Node/npm must be present (implicit requirement).
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However, the recommended mechanism is 'npx' which will fetch and run third-party packages (from npm/GitHub). That is expected for a package manager-based workflow but carries the usual risk that installing a skill may execute arbitrary install-time code. The skill does reference skills.sh (a plausible central index).
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportional to its discovery/install purpose. Note: Node/npm availability is implicitly required but not requested as an env var.
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform privileges. It does suggest installing other skills globally (which affects the user's environment), but that is an outcome of running 'npx skills add' rather than a property of this skill itself.
Assessment
This skill is coherent: it only instructs how to search for and install skills using the 'skills' CLI. Before installing anything it finds, verify the package/repository and read its README and install scripts—'npx' can run arbitrary code during install. Prefer running installs locally (without '-g') or in a controlled environment, avoid using '-y' to skip confirmations, and ensure you have Node/npm installed. If you're unsure about a third-party skill, inspect its source or test installation inside a container or VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk9759qdvnkp0hw109p45abpjph83htjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments