Muguozi1 Openclaw Find Skills
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but its default workflow can globally install external skills while skipping confirmation prompts.
Use this skill only if you are comfortable with the agent searching for and potentially installing other skills. Before installing, review the skill source, author, version, and permissions, and consider removing `-y` or avoiding global installation unless you explicitly want a persistent user-level change.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could approve an install and have a new skill added globally without seeing the normal confirmation checks, affecting future agent behavior.
This gives the agent a documented path to make persistent global changes while bypassing CLI confirmation prompts. It is related to the skill’s purpose, but lacks stronger review, scoping, or rollback guidance.
If the user wants to proceed, you can install the skill for them: npx skills add <owner/repo@skill> -g -y The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Require explicit user approval for each install, show the exact source and expected effects, avoid `-y` by default, and prefer scoped/local installation unless the user specifically asks for global installation.
Installing an unreviewed external skill could introduce unsafe instructions or capabilities into the user’s agent environment.
The skill encourages installing packages from external sources, but the artifacts do not add provenance checks, version pinning, permission review, or trust guidance before the global no-confirm install path.
`npx skills add <package>` - Install a skill from GitHub or other sources
Before installation, have the agent present the source, author, version, requested capabilities, and a review link; avoid installing from unknown sources or unpinned references.
Users may over-trust the skill’s stated quality or test status.
The included tests are placeholders that always pass, while the documentation claims strong test coverage and quality. This is not direct malicious behavior, but it makes the quality claims less reliable.
# TODO: 添加实际测试
print("✓ PASSED")
return TrueTreat the quality badges and optimization claims as unverified; rely on the actual reviewed behavior and add real tests if maintaining the skill.