ClawHub

Search Skills

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "search a skill for X", "is there a skill that can...", or expres...

0· 264·2 current·2 all-time
byopenlang@openlang-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description match the instructions: it tells the agent how to search the skills registry and how to install found skills using the Skills CLI (npx skills). There are no unrelated requirements or hidden capabilities declared.
Instruction Scope
Instructions stay within the skill-discovery/install domain (search queries, present matches, optionally install). However, the SKILL.md explicitly suggests running 'npx skills add <...> -g -y' which will fetch and execute third-party packages and skip prompts; that is outside the agent's control and carries operational risk even though it is relevant to the stated purpose.
Install Mechanism
No install spec or bundled code is present (instruction-only). The runtime guidance relies on npx to download and run packages from the open ecosystem; while this is expected for a package-manager workflow, it is higher-risk than pure read/search actions because npx executes remote code at install time.
Credentials
The skill requests no environment variables, credentials, or config paths. Nothing in SKILL.md attempts to read secrets or unrelated system files.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modify other skills' configs. Autonomous invocation is allowed by default but not combined with other red flags.
Assessment
This skill is internally consistent: it helps find skills and tells you how to install them via the Skills CLI. It does not itself request credentials or write files. However, the recommended install flow uses 'npx' to fetch and execute third-party packages and suggests the global, non-interactive flags (-g -y) which will run code from remote repositories without prompting you. Before installing any discovered skill: 1) inspect the target repository (owner, README, recent commits, issues) to ensure you trust it; 2) avoid '-g -y' so you can review prompts; 3) prefer installing in a sandbox or non-global location; 4) if unsure, ask the agent to fetch the skills.sh link and present the repo so you can manually review before running npx. If you want a stricter posture, only allow installation after explicit user confirmation and avoid running npx installs automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjh4wnywjwswwe9qxrz72yh82vdkz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments