ClawHub

Skills Search across ClawHub, skills.sh, and SkillsMP

v1.0.1

Search for Agent Skills across ClawHub, skills.sh, and SkillsMP, then rank by Health Score (downloads + stars + installs + security). Use this skill whenever...

0· 75·0 current·0 all-time
by@trip1ewhy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md's behavior (search three aggregators, call clawhub inspect, compute a health score, fetch SKILL.md for quick security heuristics) matches the skill name/description. However, the runtime text relies on external commands (clawhub and curl) even though the registry metadata declares no required binaries; that mismatch should be fixed or verified before installing.
Instruction Scope
Instructions stay within the stated purpose: they search remote indexes, fetch metadata and SKILL.md files, and apply a heuristic security scan (look for hardcoded external curl, credential-file reads, destructive commands, base64|sh patterns, etc.). The SKILL.md does not instruct reading user-local secrets or arbitrary system files; it inspects remote skill files only.
Install Mechanism
No install spec (instruction-only) — low footprint. But runtime assumes availability of 'clawhub' and 'curl' (and possibly npx in examples); the package metadata should declare those prerequisites or provide installation guidance.
Credentials
The skill requests no environment variables, credentials, or config paths. The security-scanning heuristic explicitly flags instructions that would read ~/.env, ~/.ssh, ~/.aws, etc., which is appropriate for the task and not requested.
Persistence & Privilege
always is false and there is no install-time persistence requested. The skill is allowed to be invoked autonomously (platform default) but it does not request elevated persistence or modify other skills' configs.
Assessment
This skill appears coherent for searching and ranking skills, but verify a few practical points before trusting it: (1) Ensure the agent environment has the required CLI tools (clawhub and curl) and, if needed, credentials for clawhub; the skill metadata currently does not declare these dependencies. (2) The SKILL.md fetches remote SKILL.md files via network (r.jina.ai proxy); confirm you are comfortable allowing outbound network calls to that proxy. (3) The built-in security scan is a heuristic and can miss issues — always click through the provided platform links and manually inspect a candidate skill's SKILL.md before installing. (4) If you do not want autonomous network-enabled checks, consider disabling autonomous invocation for this skill or restrict network access. If you want a stronger assurance, ask the publisher to add declared required binaries and a short install/checklist so the skill's metadata matches its runtime expectations.

Like a lobster shell, security has layers — review code before you run it.

latestvk978btk1nmr59qpyaay20snt5n83ka9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments