ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills (Robin's Fork)

v0.1.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.

2· 2.5k·7 current·7 all-time
by@robin797860
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with what the skill does: it helps discover and install agent skills. It does not request unrelated binaries, env vars, or privileges.
Instruction Scope
SKILL.md stays on topic (searching skills, presenting results, offering to install). It explicitly tells the agent to run npx skills find/add and suggests global installation with -g -y (skip confirmation). That is within the skill's purpose but reduces user consent and means the agent may execute unreviewed third‑party code when installing new skills.
Install Mechanism
No install spec or code files are included (instruction-only). The skill relies on the external 'skills' CLI via npx; this is expected for a discovery/installer helper. Note: npx executes remote packages at install time, which is normal but inherently executes third‑party code.
Credentials
Requires no environment variables, credentials, or config paths — proportional to its purpose.
Persistence & Privilege
always:false and no special persistence requested. The default model-invocation/autonomy setting is unchanged; that is normal and not concerning by itself.
Assessment
This skill is coherent and does what it claims, but installing other skills via npx runs third‑party code. Before allowing installs, consider: (1) Require explicit user confirmation before running any npx skills add command (avoid automated -y). (2) Prefer not to install globally (-g) unless you understand the implications. (3) Inspect the skill's repository or package (owner, README, recent commits) before installation. (4) If possible, test new skills in an isolated environment or sandbox. (5) If you don't trust a publisher, decline installation and ask the agent to perform the task directly instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eqmg0zgxz2z174x831rd5v180nkyn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments