Find Skills Tianjin
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent, but it recommends installing third-party agent skills globally while skipping confirmation prompts.
Use this skill for finding skills, but do not let it install anything until you have reviewed the exact package, publisher, and source. Consider removing `-y` so you can see the installer confirmation, and prefer non-global or easily reversible installs when available.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could end up with a third-party skill installed globally, changing future agent behavior, without seeing the normal package-manager confirmation step.
This is a high-impact tool action because it installs a new agent skill globally and bypasses the CLI's confirmation prompts. Although installation is purpose-aligned, the default workflow lacks a clear guardrail requiring source review or exact-package confirmation before the agent runs it.
npx skills add <owner/repo@skill> -g -y The `-g` flag installs globally (user-level) and `-y` skips confirmation prompts.
Require explicit user confirmation of the exact package and publisher before installation, avoid `-y` by default, and prefer scoped or reversible installs when possible.
Installing a skill from an untrusted or mistaken source could introduce unsafe instructions or tools into the agent environment.
The skill explicitly installs packages from external sources. This is expected for a skill-finder, but users should treat the selected package source as part of the trust decision.
`npx skills add <package>` - Install a skill from GitHub or other sources
Review the skill page, publisher, repository, and requested capabilities before installing any result.