ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 35 · 0 current installs · 0 all-time installs
by@nidhov01
duplicate of @Robin797860/find-skills-robin
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with the instructions: it is a discovery/install helper that uses the 'skills' CLI. However, the SKILL.md repeatedly instructs the agent to run 'npx skills' commands (which require Node/npm/npx) while the registry metadata lists no required binaries; this omission is an inconsistency.
!
Instruction Scope
The instructions explicitly tell the agent how to search and to install skills using commands like 'npx skills add <owner/repo@skill> -g -y'. That runs remote code from package registries or GitHub and the '-g -y' recommendation bypasses confirmation prompts. While this is within the stated purpose (discovering/installing skills), it expands the agent's ability to fetch and execute arbitrary third-party code and to install it globally without further confirmation.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk-written install-time artifacts from the skill itself. But the runtime instructions rely on 'npx', which downloads and executes packages from npm/GitHub at runtime — a higher-risk mechanism than using only pre-installed, vetted binaries. The skill does not declare Node/npm/npx as required, which is a mismatch between declared requirements and actual instructions.
Credentials
The skill does not request environment variables, credentials, or config paths. Nothing in the SKILL.md asks for secrets or unrelated system config.
Persistence & Privilege
The skill is not 'always: true' and requires user invocation. However, the SKILL.md explicitly recommends using '-g -y' to install skills globally and skip confirmations; because model invocation is allowed (disable-model-invocation: false), an agent could attempt to perform installs autonomously. This combination increases the blast radius if an agent is permitted to run shell commands without an extra human confirmation.
What to consider before installing
This skill appears to do what it says (search and install other skills), but review these points before installing or letting an agent run it unattended: - Node/npm/npx is required to follow its instructions, yet the metadata doesn't list those binaries. If you run it, make sure npx is installed and trusted on the host. - The skill tells the agent to use 'npx skills add <...> -g -y' which will download and execute third-party code and install it globally while skipping confirmation. Do not allow autonomous installs unless you trust the source. Prefer running installs yourself after reviewing the target repository. - When the agent presents a candidate skill, verify the skills.sh link and the owner/repo before running the add command. - If you want to reduce risk, disable autonomous model invocation for this skill or require explicit user confirmation for any 'npx skills add' action; avoid using '-y' and global installs unless necessary. If you want to proceed, treat this skill as a convenience for discovery only and retain manual control over any actual 'npx skills add' operations.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk974dgtwmq9ettgqmhkz73vkgn830dyb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Find Skills

This skill helps you discover and install skills from the open agent skills ecosystem.

When to Use This Skill

Use this skill when the user:

  • Asks "how do I do X" where X might be a common task with an existing skill
  • Says "find a skill for X" or "is there a skill for X"
  • Asks "can you do X" where X is a specialized capability
  • Expresses interest in extending agent capabilities
  • Wants to search for tools, templates, or workflows
  • Mentions they wish they had help with a specific domain (design, testing, deployment, etc.)

What is the Skills CLI?

The Skills CLI (npx skills) is the package manager for the open agent skills ecosystem. Skills are modular packages that extend agent capabilities with specialized knowledge, workflows, and tools.

Key commands:

  • npx skills find [query] - Search for skills interactively or by keyword
  • npx skills add <package> - Install a skill from GitHub or other sources
  • npx skills check - Check for skill updates
  • npx skills update - Update all installed skills

Browse skills at: https://skills.sh/

How to Help Users Find Skills

Step 1: Understand What They Need

When a user asks for help with something, identify:

  1. The domain (e.g., React, testing, design, deployment)
  2. The specific task (e.g., writing tests, creating animations, reviewing PRs)
  3. Whether this is a common enough task that a skill likely exists

Step 2: Search for Skills

Run the find command with a relevant query:

npx skills find [query]

For example:

  • User asks "how do I make my React app faster?" → npx skills find react performance
  • User asks "can you help me with PR reviews?" → npx skills find pr review
  • User asks "I need to create a changelog" → npx skills find changelog

The command will return results like:

Install with npx skills add <owner/repo@skill>

vercel-labs/agent-skills@vercel-react-best-practices
└ https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 3: Present Options to the User

When you find relevant skills, present them to the user with:

  1. The skill name and what it does
  2. The install command they can run
  3. A link to learn more at skills.sh

Example response:

I found a skill that might help! The "vercel-react-best-practices" skill provides
React and Next.js performance optimization guidelines from Vercel Engineering.

To install it:
npx skills add vercel-labs/agent-skills@vercel-react-best-practices

Learn more: https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices

Step 4: Offer to Install

If the user wants to proceed, you can install the skill for them:

npx skills add <owner/repo@skill> -g -y

The -g flag installs globally (user-level) and -y skips confirmation prompts.

Common Skill Categories

When searching, consider these common categories:

CategoryExample Queries
Web Developmentreact, nextjs, typescript, css, tailwind
Testingtesting, jest, playwright, e2e
DevOpsdeploy, docker, kubernetes, ci-cd
Documentationdocs, readme, changelog, api-docs
Code Qualityreview, lint, refactor, best-practices
Designui, ux, design-system, accessibility
Productivityworkflow, automation, git

Tips for Effective Searches

  1. Use specific keywords: "react testing" is better than just "testing"
  2. Try alternative terms: If "deploy" doesn't work, try "deployment" or "ci-cd"
  3. Check popular sources: Many skills come from vercel-labs/agent-skills or ComposioHQ/awesome-claude-skills

When No Skills Are Found

If no relevant skills exist:

  1. Acknowledge that no existing skill was found
  2. Offer to help with the task directly using your general capabilities
  3. Suggest the user could create their own skill with npx skills init

Example:

I searched for skills related to "xyz" but didn't find any matches.
I can still help you with this task directly! Would you like me to proceed?

If this is something you do often, you could create your own skill:
npx skills init my-xyz-skill

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…