ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

myskill

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 30 · 0 current installs · 0 all-time installs
by@pipsqueakup
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes a lightweight 'find and install skills' helper that uses the Skills CLI (npx skills). However, the package also contains a Python script that creates a local 'sample_skill' directory, registers that skill via an agentscope Toolkit, and constructs a DashScopeChatModel that reads os.environ['DASHSCOPE_API_KEY']. The script's dependencies and environment access (DashScope API key, agentscope) are not reflected in the skill metadata and are not necessary for the described find/install functionality.
Instruction Scope
The runtime instructions (SKILL.md) are limited to guiding an agent to use 'npx skills find' and 'npx skills add'. Those instructions are coherent. However, SKILL.md does not mention the included Python script at all. The instructions also recommend 'npx skills add ... -g -y' which installs globally and skips confirmations — a potentially risky operation if performed without explicit user consent.
Install Mechanism
There is no install spec (instruction-only), which is low risk. But the repository includes an executable Python file that, if run, will write files to the current working directory (creates sample_skill/SKILL.md) and calls Toolkit.register_agent_skill. The package does not declare this behavior, so the presence of code capable of filesystem writes is an unexpected surface area.
!
Credentials
Manifest declares no required environment variables, yet the Python script directly references os.environ['DASHSCOPE_API_KEY'] (required at runtime). This is a clear mismatch: the skill asks for an API key it never declared and which is unrelated to the stated purpose of searching/installing skills.
Persistence & Privilege
Skill flags are default (no 'always' privilege). The Python script registers a skill via Toolkit.register_agent_skill and writes a sample skill directory, which may modify agent skill registrations or leave files on disk if executed. The metadata does not disclose any config path modifications; this discrepancy is noteworthy but not on its own proof of malicious intent.
What to consider before installing
This skill's visible instructions are harmless (searching with 'npx skills'), but the included Python script deviates from the manifest in ways that could have side effects. Before installing or letting an agent run this skill: 1) Ask the publisher why the Python script is included and why it needs DASHSCOPE_API_KEY (not advertised). 2) Review or run the Python file only in a sandbox to see what it does (it creates sample_skill/ and calls Toolkit.register_agent_skill). 3) Avoid allowing automated/global installs with '-g -y' without explicit user confirmation. 4) If you don't intend to run the Python script, consider removing or isolating it; if you do need its functionality, require the manifest be updated to declare the DASHSCOPE_API_KEY dependency and any filesystem/config changes. If the publisher can't explain the mismatch, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97342ad37ncw7nw8f0vvcbkj58304af

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Find Skills

This skill helps you discover and install skills from the open agent skills ecosystem.

When to Use This Skill

Use this skill when the user:

  • Asks "how do I do X" where X might be a common task with an existing skill
  • Says "find a skill for X" or "is there a skill for X"
  • Asks "can you do X" where X is a specialized capability
  • Expresses interest in extending agent capabilities
  • Wants to search for tools, templates, or workflows
  • Mentions they wish they had help with a specific domain (design, testing, deployment, etc.)

What is the Skills CLI?

The Skills CLI (npx skills) is the package manager for the open agent skills ecosystem. Skills are modular packages that extend agent capabilities with specialized knowledge, workflows, and tools.

Key commands:

  • npx skills find [query] - Search for skills interactively or by keyword
  • npx skills add <package> - Install a skill from GitHub or other sources
  • npx skills check - Check for skill updates
  • npx skills update - Update all installed skills

Browse skills at: https://skills.sh/

How to Help Users Find Skills

Step 1: Understand What They Need

When a user asks for help with something, identify:

  1. The domain (e.g., React, testing, design, deployment)
  2. The specific task (e.g., writing tests, creating animations, reviewing PRs)
  3. Whether this is a common enough task that a skill likely exists

Step 2: Search for Skills

Run the find command with a relevant query:

npx skills find [query]

For example:

  • User asks "how do I make my React app faster?" → npx skills find react performance
  • User asks "can you help me with PR reviews?" → npx skills find pr review
  • User asks "I need to create a changelog" → npx skills find changelog

The command will return results like:

Install with npx skills add <owner/repo@skill>

vercel-labs/agent-skills@vercel-react-best-practices
└ https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 3: Present Options to the User

When you find relevant skills, present them to the user with:

  1. The skill name and what it does
  2. The install command they can run
  3. A link to learn more at skills.sh

Example response:

I found a skill that might help! The "vercel-react-best-practices" skill provides
React and Next.js performance optimization guidelines from Vercel Engineering.

To install it:
npx skills add vercel-labs/agent-skills@vercel-react-best-practices

Learn more: https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 4: Offer to Install

If the user wants to proceed, you can install the skill for them:

npx skills add <owner/repo@skill> -g -y

The -g flag installs globally (user-level) and -y skips confirmation prompts.

Common Skill Categories

When searching, consider these common categories:

CategoryExample Queries
Web Developmentreact, nextjs, typescript, css, tailwind
Testingtesting, jest, playwright, e2e
DevOpsdeploy, docker, kubernetes, ci-cd
Documentationdocs, readme, changelog, api-docs
Code Qualityreview, lint, refactor, best-practices
Designui, ux, design-system, accessibility
Productivityworkflow, automation, git

Tips for Effective Searches

  1. Use specific keywords: "react testing" is better than just "testing"
  2. Try alternative terms: If "deploy" doesn't work, try "deployment" or "ci-cd"
  3. Check popular sources: Many skills come from vercel-labs/agent-skills or ComposioHQ/awesome-claude-skills

When No Skills Are Found

If no relevant skills exist:

  1. Acknowledge that no existing skill was found
  2. Offer to help with the task directly using your general capabilities
  3. Suggest the user could create their own skill with npx skills init

Example:

I searched for skills related to "xyz" but didn't find any matches.
I can still help you with this task directly! Would you like me to proceed?

If this is something you do often, you could create your own skill:
npx skills init my-xyz-skill

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…