ClawHub
Back to skill
v0.1.0

Find Skills

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:54 AM.

Analysis

The skill is coherent for finding skills, but it encourages globally installing new agent skills while skipping confirmation prompts, which users should review carefully.

GuidanceUse this skill for searching, but be cautious before allowing it to install anything. Prefer reviewing the listed skill and source first, and ask the agent not to use '-y' or global installation unless you intentionally want a persistent user-level change.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
If the user wants to proceed, you can install the skill for them:

```bash
npx skills add <owner/repo@skill> -g -y
```

The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.

The skill directs the agent to make a persistent global change to the user's agent environment and explicitly skip the CLI's confirmation prompts.

User impactA user could end up with a new globally installed agent skill that affects future behavior without seeing the installer's normal confirmation step.
RecommendationAsk for explicit user confirmation immediately before installation, avoid '-y' by default, prefer project-scoped installation where possible, and show the exact package, source, and expected effects before proceeding.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
`npx skills add <package>` - Install a skill from GitHub or other sources

Installing third-party skills from external sources is central to this skill's purpose, but it introduces supply-chain trust considerations.

User impactInstalled skills may come from external maintainers and could change what the agent can do or access.
RecommendationReview the skill source, maintainer, permissions, and installation scope before adding it, especially for global installs.