fff
v1.0.3Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md is consistent with the described purpose: it instructs the agent to search for and install skills using the 'skills' CLI (npx skills). However, the skill declares no required binaries while the runtime instructions assume 'npx' (Node/npm) is available — a minor inconsistency that should have been declared.
Instruction Scope
Instructions stay within the stated scope (searching and installing skills). They recommend commands like 'npx skills find' and 'npx skills add <pkg> -g -y'. The suggested global install (-g) and skip-confirmation (-y) flags increase the impact of an install operation by performing non-interactive, user-level installs; the skill does not instruct reading unrelated files or environment variables.
Install Mechanism
This is an instruction-only skill (no install spec). It relies on 'npx' to fetch/install packages at runtime, which will execute remote code from package registries or GitHub. That behavior is expected for a skill that installs other skills, but it is inherently higher-risk than purely local actions because it causes arbitrary packages to be downloaded and run.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a discovery/installer helper.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. disable-model-invocation is false (normal); nothing here grants the skill abnormal platform privileges.
Assessment
This skill appears to do what it says: help find and install other skills. Before using it, ensure you have Node/npm/npx available (the SKILL.md assumes npx but the skill doesn't declare that dependency). Be cautious about running the suggested install command with '-g -y' because that installs packages globally and skips prompts — verify the exact package (owner/repo@skill) and its source (GitHub/skills.sh) before consenting. If you want a safer workflow, avoid '-g -y' so you keep interactive confirmation, and inspect the skill's repository/readme before installing. If you lack Node/npm or prefer not to install third-party packages, you can ask the agent to search and present candidate skills without performing the install.Like a lobster shell, security has layers — review code before you run it.
latestvk97e24wzsqc4e7tzhz12nmyp4d84sj4j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.