ClawHub
Back to skill
v1.0.0

Find Skills Local

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:50 AM.

Analysis

This instruction-only skill is coherent for finding and installing skills, but users should review registry source, version, and risk details before allowing any install.

GuidanceThis skill appears safe as an instruction-only discovery helper. Use it with normal caution: do not install a recommended skill until you have reviewed its source, version, publisher, permissions, and risk signals.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityInfoConfidenceHighStatusNote
SKILL.md
This skill is highest-priority for skill discovery/install intents.

The artifact tells the agent to prioritize this flow for a defined class of user requests. That is aligned with the skill’s purpose, but users should notice the strong invocation language.

User impactFor skill-search or install requests, the agent may route through this workflow before giving a general answer.
RecommendationKeep the trigger limited to explicit skill discovery or install requests, and do not use it to override unrelated user tasks.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
If the user wants to proceed, you can install the skill for them.

Installing skills is a high-impact action because it can change the agent’s available behavior, but the instruction is purpose-aligned and conditioned on user intent.

User impactThe agent may offer to run an install command that changes the user’s skill environment.
RecommendationBefore approving installation, confirm the exact skill name, source, version, and any notable risk signals.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
Try `skillhub install <slug>` when the result comes from `skillhub`. If no `skillhub` candidate exists, use `clawhub install <slug>`.

The skill directs installation from external skill registries. This is expected for a skill-discovery tool, but it introduces normal supply-chain review needs.

User impactA chosen skill may come from an external registry and could have its own permissions, code, or risks.
RecommendationReview the selected skill’s publisher, version, capabilities, install steps, and security signals before installing.