ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Search First

v1.0.0

Research-before-coding workflow. Search for existing tools, libraries, and patterns before writing custom code. Invokes the researcher agent.

0· 13·1 current·1 all-time
by@wangxiaofei860208-source
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (research-before-coding) align with the SKILL.md: it instructs searching npm/PyPI/GitHub and using a researcher subagent. That purpose does not legitimately require environment secrets or an install spec, which the skill correctly omits. However, the guidance also recommends checking local Claude-related config (~/.claude/settings.json and ~/.claude/skills/) and running tools like `rg` — these are reasonable for a researcher workflow but are not declared in the skill metadata (no required config paths or binaries).
!
Instruction Scope
SKILL.md explicitly instructs the agent to read local files (~/.claude/settings.json and ~/.claude/skills/) and run commands (e.g., `rg`) and to launch a researcher subagent with network searches (npm/PyPI/GitHub/MCP). Reading user-specific config and checking a hidden settings file can expose tokens or personal data; the skill metadata does not declare these paths or explain scope/limits. The instructions also assume availability of tooling (ripgrep) and network access without declaring those requirements.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is written to disk during install. This is the lowest-risk install posture.
!
Credentials
The skill declares no required environment variables or credentials, yet its runtime guidance asks the agent to inspect local configuration that may contain tokens and to query external services (GitHub, MCP servers) that might require credentials. The absence of declared env/config requirements is a mismatch with the instructions' potential needs.
Persistence & Privilege
always is false and there is no claim of modifying other skills or system-wide settings. The skill does instruct launching a subagent, which is normal for a researcher workflow. Autonomous invocation is allowed by default but not exceptional here.
What to consider before installing
This skill appears to be what it claims (a 'search-before-coding' workflow), but review the following before enabling it: 1) SKILL.md tells the agent to read ~/.claude/settings.json and ~/.claude/skills/ — those are user-specific config files that may contain tokens or sensitive info. If you do not want the agent to access them, block or sandbox access. 2) The skill assumes command-line tools (e.g., rg) and network access for GitHub/PyPI/MCP; ensure those tools and credentials are available only if you intend the agent to use them. 3) Because the skill is instruction-only, there is no installation payload, but at runtime the agent could install packages or run searches — decide whether to allow autonomous execution or require manual approval. 4) If you need stronger guarantees, ask the skill author to declare required config paths/binaries and to limit which directories the skill should inspect. If unsure, run the researcher agent in a restricted environment or with monitoring enabled.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e8d0xg14ek7xaadkgf71dh9847fpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

/search-first — Research Before You Code

Systematizes the "search for existing solutions before implementing" workflow.

Trigger

Use this skill when:

  • Starting a new feature that likely has existing solutions
  • Adding a dependency or integration
  • The user asks "add X functionality" and you're about to write code
  • Before creating a new utility, helper, or abstraction

Workflow

┌─────────────────────────────────────────────┐
│  1. NEED ANALYSIS                           │
│     Define what functionality is needed      │
│     Identify language/framework constraints  │
├─────────────────────────────────────────────┤
│  2. PARALLEL SEARCH (researcher agent)      │
│     ┌──────────┐ ┌──────────┐ ┌──────────┐  │
│     │  npm /   │ │  MCP /   │ │  GitHub / │  │
│     │  PyPI    │ │  Skills  │ │  Web      │  │
│     └──────────┘ └──────────┘ └──────────┘  │
├─────────────────────────────────────────────┤
│  3. EVALUATE                                │
│     Score candidates (functionality, maint, │
│     community, docs, license, deps)         │
├─────────────────────────────────────────────┤
│  4. DECIDE                                  │
│     ┌─────────┐  ┌──────────┐  ┌─────────┐  │
│     │  Adopt  │  │  Extend  │  │  Build   │  │
│     │ as-is   │  │  /Wrap   │  │  Custom  │  │
│     └─────────┘  └──────────┘  └─────────┘  │
├─────────────────────────────────────────────┤
│  5. IMPLEMENT                               │
│     Install package / Configure MCP /       │
│     Write minimal custom code               │
└─────────────────────────────────────────────┘

Decision Matrix

SignalAction
Exact match, well-maintained, MIT/ApacheAdopt — install and use directly
Partial match, good foundationExtend — install + write thin wrapper
Multiple weak matchesCompose — combine 2-3 small packages
Nothing suitable foundBuild — write custom, but informed by research

How to Use

Quick Mode (inline)

Before writing a utility or adding functionality, mentally run through:

  1. Does this already exist in the repo? → rg through relevant modules/tests first
  2. Is this a common problem? → Search npm/PyPI
  3. Is there an MCP for this? → Check ~/.claude/settings.json and search
  4. Is there a skill for this? → Check ~/.claude/skills/
  5. Is there a GitHub implementation/template? → Run GitHub code search for maintained OSS before writing net-new code

Full Mode (agent)

For non-trivial functionality, launch the researcher agent:

Task(subagent_type="general-purpose", prompt="
  Research existing tools for: [DESCRIPTION]
  Language/framework: [LANG]
  Constraints: [ANY]

  Search: npm/PyPI, MCP servers, Claude Code skills, GitHub
  Return: Structured comparison with recommendation
")

Search Shortcuts by Category

Development Tooling

  • Linting → eslint, ruff, textlint, markdownlint
  • Formatting → prettier, black, gofmt
  • Testing → jest, pytest, go test
  • Pre-commit → husky, lint-staged, pre-commit

AI/LLM Integration

  • Claude SDK → Context7 for latest docs
  • Prompt management → Check MCP servers
  • Document processing → unstructured, pdfplumber, mammoth

Data & APIs

  • HTTP clients → httpx (Python), ky/got (Node)
  • Validation → zod (TS), pydantic (Python)
  • Database → Check for MCP servers first

Content & Publishing

  • Markdown processing → remark, unified, markdown-it
  • Image optimization → sharp, imagemin

Integration Points

With planner agent

The planner should invoke researcher before Phase 1 (Architecture Review):

  • Researcher identifies available tools
  • Planner incorporates them into the implementation plan
  • Avoids "reinventing the wheel" in the plan

With architect agent

The architect should consult researcher for:

  • Technology stack decisions
  • Integration pattern discovery
  • Existing reference architectures

With iterative-retrieval skill

Combine for progressive discovery:

  • Cycle 1: Broad search (npm, PyPI, MCP)
  • Cycle 2: Evaluate top candidates in detail
  • Cycle 3: Test compatibility with project constraints

Examples

Example 1: "Add dead link checking"

Need: Check markdown files for broken links
Search: npm "markdown dead link checker"
Found: textlint-rule-no-dead-link (score: 9/10)
Action: ADOPT — npm install textlint-rule-no-dead-link
Result: Zero custom code, battle-tested solution

Example 2: "Add HTTP client wrapper"

Need: Resilient HTTP client with retries and timeout handling
Search: npm "http client retry", PyPI "httpx retry"
Found: got (Node) with retry plugin, httpx (Python) with built-in retry
Action: ADOPT — use got/httpx directly with retry config
Result: Zero custom code, production-proven libraries

Example 3: "Add config file linter"

Need: Validate project config files against a schema
Search: npm "config linter schema", "json schema validator cli"
Found: ajv-cli (score: 8/10)
Action: ADOPT + EXTEND — install ajv-cli, write project-specific schema
Result: 1 package + 1 schema file, no custom validation logic

Anti-Patterns

  • Jumping to code: Writing a utility without checking if one exists
  • Ignoring MCP: Not checking if an MCP server already provides the capability
  • Over-customizing: Wrapping a library so heavily it loses its benefits
  • Dependency bloat: Installing a massive package for one small feature

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…