ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

find-skills-gitcode

v1.0.1

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

1· 99·0 current·0 all-time
byJHercules_qz@jherculesqz

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jherculesqz/find-skills-gitcode.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "find-skills-gitcode" (jherculesqz/find-skills-gitcode) from ClawHub.
Skill page: https://clawhub.ai/jherculesqz/find-skills-gitcode
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install find-skills-gitcode

ClawHub CLI

Package manager switcher

npx clawhub@latest install find-skills-gitcode
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description ('find-skills') align with the SKILL.md: it is a discovery and install helper for skills. The guidance on searching, vetting, and presenting skills is coherent with the stated purpose.
!
Instruction Scope
The instructions explicitly tell the agent/user to run 'npx skills-gitcode find' and 'npx skills-gitcode add <package>' and to install with 'npx skills-gitcode add <owner/repo@skill> -g -y'. Those commands will download and execute remote code at runtime and the recommended '-g -y' suppresses confirmation prompts. The SKILL.md does not require or instruct signature/veracity checks of packages beyond heuristic checks (installs, stars), nor does it require explicit user confirmation before performing installs — increasing the risk of executing untrusted code.
!
Install Mechanism
There is no declared install spec for this skill itself (instruction-only), but the runtime guidance relies on 'npx', which dynamically fetches and runs packages from the npm registry (or other sources). Dynamic downloads via npx are inherently higher-risk because they execute remote code. The document's explicit recommendation to use global installs and skip confirmations ('-g -y') raises the risk further.
Credentials
The skill declares no required environment variables, binaries, or config paths, and the SKILL.md does not request secrets or access to unrelated credentials. No disproportionate credential access is requested.
Persistence & Privilege
Skill flags are normal: always=false and disable-model-invocation=false (agent may invoke autonomously as usual). The SKILL.md recommends installing other skills globally (which would persist on the host), but the skill itself does not request persistent privileges or modify other skills' configurations.
What to consider before installing
This skill is coherent with its purpose (finding and installing other skills) but it tells you to run npx commands that will download and execute remote code — and even recommends using '-g -y' to skip prompts. Before installing anything discovered by this skill: 1) review the package/repo source manually (README, author, commits); 2) avoid globally installing unknown packages or using '-y' without understanding what will be run; 3) prefer installing in a confined environment or container; 4) verify package versions and prefer well-known publishers; 5) ask the agent to show the exact install command and the repository link and get your explicit approval before running it. If you want a safer mode, require the agent to only produce recommendations and never run 'npx' or install without explicit, per-install confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784c1vpbst2zpv1b4938swan83h4t8
99downloads
1stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
JHercules_qz@jherculesqz
latest
Download

Find Skills

This skill helps you discover and install skills from the open agent skills ecosystem.

When to Use This Skill

Use this skill when the user:

  • Asks "how do I do X" where X might be a common task with an existing skill
  • Says "find a skill for X" or "is there a skill for X"
  • Asks "can you do X" where X is a specialized capability
  • Expresses interest in extending agent capabilities
  • Wants to search for tools, templates, or workflows
  • Mentions they wish they had help with a specific domain (design, testing, deployment, etc.)

What is the Skills CLI?

The Skills CLI (npx skills-gitcode) is the package manager for the open agent skills ecosystem. Skills are modular packages that extend agent capabilities with specialized knowledge, workflows, and tools.

Key commands:

  • npx skills-gitcode find [query] - Search for skills interactively or by keyword
  • npx skills-gitcode add <package> - Install a skill from GitHub or other sources
  • npx skills-gitcode check - Check for skill updates
  • npx skills-gitcode update - Update all installed skills

Browse skills at: https://skills.sh/

How to Help Users Find Skills

Step 1: Understand What They Need

When a user asks for help with something, identify:

  1. The domain (e.g., React, testing, design, deployment)
  2. The specific task (e.g., writing tests, creating animations, reviewing PRs)
  3. Whether this is a common enough task that a skill likely exists

Step 2: Check the Leaderboard First

Before running a CLI search, check the skills.sh leaderboard to see if a well-known skill already exists for the domain. The leaderboard ranks skills by total installs, surfacing the most popular and battle-tested options.

For example, top skills for web development include:

  • vercel-labs/agent-skills — React, Next.js, web design (100K+ installs each)
  • anthropics/skills — Frontend design, document processing (100K+ installs)

Step 3: Search for Skills

If the leaderboard doesn't cover the user's need, run the find command:

npx skills-gitcode find [query]

For example:

  • User asks "how do I make my React app faster?" → npx skills-gitcode find react performance
  • User asks "can you help me with PR reviews?" → npx skills-gitcode find pr review
  • User asks "I need to create a changelog" → npx skills-gitcode find changelog

Step 4: Verify Quality Before Recommending

Do not recommend a skill based solely on search results. Always verify:

  1. Install count — Prefer skills with 1K+ installs. Be cautious with anything under 100.
  2. Source reputation — Official sources (vercel-labs, anthropics, microsoft) are more trustworthy than unknown authors.
  3. GitHub stars — Check the source repository. A skill from a repo with <100 stars should be treated with skepticism.

Step 5: Present Options to the User

When you find relevant skills, present them to the user with:

  1. The skill name and what it does
  2. The install count and source
  3. The install command they can run
  4. A link to learn more at skills.sh

Example response:

I found a skill that might help! The "react-best-practices" skill provides
React and Next.js performance optimization guidelines from Vercel Engineering.
(185K installs)

To install it:
npx skills-gitcode add vercel-labs/agent-skills@react-best-practices

Learn more: https://skills.sh/vercel-labs/agent-skills/react-best-practices

Step 6: Offer to Install

If the user wants to proceed, you can install the skill for them:

npx skills-gitcode add <owner/repo@skill> -g -y

The -g flag installs globally (user-level) and -y skips confirmation prompts.

Common Skill Categories

When searching, consider these common categories:

CategoryExample Queries
Web Developmentreact, nextjs, typescript, css, tailwind
Testingtesting, jest, playwright, e2e
DevOpsdeploy, docker, kubernetes, ci-cd
Documentationdocs, readme, changelog, api-docs
Code Qualityreview, lint, refactor, best-practices
Designui, ux, design-system, accessibility
Productivityworkflow, automation, git

Tips for Effective Searches

  1. Use specific keywords: "react testing" is better than just "testing"
  2. Try alternative terms: If "deploy" doesn't work, try "deployment" or "ci-cd"
  3. Check popular sources: Many skills come from vercel-labs/agent-skills or ComposioHQ/awesome-claude-skills

When No Skills Are Found

If no relevant skills exist:

  1. Acknowledge that no existing skill was found
  2. Offer to help with the task directly using your general capabilities
  3. Suggest the user could create their own skill with npx skills-gitcode init

Example:

I searched for skills related to "xyz" but didn't find any matches.
I can still help you with this task directly! Would you like me to proceed?

If this is something you do often, you could create your own skill:
npx skills-gitcode init my-xyz-skill

Comments

Loading comments...