Find Skills (Robin's Fork)
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is aligned with helping users find skills, but it can guide the agent to install third-party skills globally, so users should approve and verify installs.
Before allowing this skill to install anything, verify the exact owner/repo@skill, review the linked source or skills.sh page, and consider running the install manually without `-y`. The skill is coherent and instruction-only, but global skill installs persist and can change future agent behavior.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or insufficiently reviewed install could add persistent agent behavior the user did not fully understand.
This is purpose-aligned for a skill installer, but it gives the agent a direct path to change the user's installed skill set globally and bypass the CLI's confirmation prompts after the user indicates they want to proceed.
npx skills add <owner/repo@skill> -g -y ... The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Require explicit confirmation of the exact skill package before installing, show the source link, and consider omitting `-y` so the user can see confirmation prompts.
Installing an untrusted or incorrect third-party skill could introduce unwanted instructions or capabilities into the agent.
The intended workflow installs third-party skills from external sources. That is expected for this skill's purpose, but package identity and maintainer trust matter.
`npx skills add <package>` - Install a skill from GitHub or other sources
Review the skills.sh page or source repository for the exact package before installation, and prefer trusted maintainers or pinned versions where available.