find-slills
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent, but its default install flow can add third-party skills globally while skipping confirmation prompts.
Before allowing this skill to install anything, review the skill source and publisher, avoid no-confirm installs when possible, and understand that a global install can affect future agent behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could approve installation in chat while missing details that a confirmation prompt might have shown, and the new skill would be installed globally for future use.
This gives the agent a global install command that suppresses the CLI's confirmation step, which can mutate the user's agent environment without the normal interactive review.
If the user wants to proceed, you can install the skill for them: ```bash npx skills add <owner/repo@skill> -g -y ``` The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Do not use `-y` by default; show the exact package, source, and expected impact, and ask for explicit confirmation immediately before installation.
Installing an unreviewed third-party skill could introduce unsafe instructions or future behavior into the user's agent setup.
The skill directs installation of third-party packages from broad sources without version pinning, source verification, or trust-review guidance.
`npx skills add <package>` - Install a skill from GitHub or other sources
Require source review before install, prefer trusted publishers and pinned versions where supported, and link users to the skill's homepage or repository for inspection.
A bad or unsuitable skill could continue influencing future work until removed.
Global installation means the installed skill can affect later agent sessions, not just the current request.
The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Prefer scoped/local installation when possible and provide uninstall or rollback instructions for any installed skill.