Skills Indec MCP
v1.0.1Search, score, and submit 11,000+ AI agent tools from SkillsIndex, filtered by ecosystem, category, and rated on security, utility, and maintenance.
⭐ 0· 280·0 current·0 all-time
bysamoth@thomasblc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the requested capabilities: the skill queries the public SkillsIndex API and posts submissions/subscriptions to public endpoints. It declares no credentials, no config paths, and uses npx to run an npm package, which is consistent with a client that talks to a public REST API.
Instruction Scope
SKILL.md instructions are narrowly scoped to search, inspect, and submit data to skillsindex.dev and to run an MCP via `npx skillsindex-mcp`. The doc explicitly claims 'no local file access' and 'no env vars read' — but because runtime execution happens via npx (remote package code), that claim cannot be enforced by the instruction alone: code fetched and executed by npx could read files or env vars unless the package is audited. The instructions themselves do not request additional system data, but the execution model introduces risk.
Install Mechanism
This is an instruction-only skill that instructs the agent to run `npx skillsindex-mcp`. Using npx means the package will be fetched from the npm registry and executed on demand. npm is a well-known host (moderate risk), but the skill does not vendor or include the package source in the bundle being installed here. The SKILL.md points to a GitHub repo and claims the source matches the compiled output, but the package execution still runs remote code which could be changed or the npm package could be hijacked — consider pinning a specific version or auditing the package before allowing execution.
Credentials
The skill requests no environment variables or credentials, and its declared network endpoints (skillsindex.dev and npmjs.com) align with its function. The only notable data flows are POSTs to the public SkillsIndex endpoints for submit/subscribe, which are expected but mean any data you submit will be sent to an external public API — do not include secrets in submissions.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges or modifications to other skills. It instructs adding an entry to a local config to wire up an MCP server, which is normal for this functionality.
What to consider before installing
This skill appears to do what it says (search and submit to SkillsIndex), but it runs an npm package via `npx`, which will fetch and execute code from the npm registry at runtime. Because that code could potentially access files or environment variables, do not assume the 'no local file access' claim is guaranteed unless you verify the package. Before installing or invoking: 1) review the npm package page and the linked GitHub repository (confirm package version and that published code matches the repo), 2) consider pinning to a specific package version instead of running the latest, 3) run the package in a sandboxed environment the first time, 4) avoid submitting any secrets or sensitive data through submit_tool/subscribe endpoints, and 5) if you need a higher assurance, vendor the package (audit the code) or request the skill bundle include the compiled code so it can be statically reviewed. If you want higher assurance, provide the skill's npm package version and the GitHub commit/tarball hashes so an integrity check can be performed.Like a lobster shell, security has layers — review code before you run it.
latestvk978d69w4agrftwyhrysjb52d581t7kx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.