Find Skills 0.1.0
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves installation too quickly, a third-party skill could be installed globally without the CLI asking for another confirmation.
The command is purpose-aligned, but it gives the agent a path to modify the user's installed skill set globally and bypass the CLI's confirmation prompts after user approval.
If the user wants to proceed, you can install the skill for them: ```bash npx skills add <owner/repo@skill> -g -y ``` The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Ask the user for explicit approval before installation, show the exact package name/source, and consider omitting -y so the user can review the CLI confirmation.
The quality and safety of any installed skill depends on the external source selected by the user and agent.
Installing skills from external repositories is central to the stated purpose, but it introduces normal third-party package provenance risk.
`npx skills add <package>` - Install a skill from GitHub or other sources
Review the skill page, source repository, publisher, permissions, and installation instructions before installing.
Installed skills may remain available to the agent in future sessions.
Global installation is explicitly disclosed and purpose-aligned, but it creates persistent changes to the user's agent environment.
The `-g` flag installs globally (user-level)
Install globally only for skills you expect to use again, and periodically review or remove skills you no longer need.