ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills Cn

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

0· 123·1 current·1 all-time
by聿歆@v585·duplicate of @robin797860/find-skills-robin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and runtime instructions all focus on discovering and installing other agent skills. There are no unrelated environment variables, binaries, or config paths requested — the pieces align with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run npx commands (npx skills find, npx skills add) and suggests using `-g -y` to install globally without prompts. That is expected for a 'find/install skills' helper, but it directs the agent to fetch and execute third‑party code and to perform unattended installs, which broadens what the agent will do at runtime.
Install Mechanism
No install spec in the skill metadata (instruction-only), so the skill itself won't write files. However, it instructs use of npx to download packages from npm/GitHub at runtime. This is appropriate for the functionality but is a higher-risk operation than purely local, read-only tasks because it causes arbitrary third‑party code to be run/installed.
Credentials
The skill requests no environment variables, credentials, or config paths. Nothing appears disproportionate to the purpose. It does, however, assume network access and permission to run npx and install packages on the host.
Persistence & Privilege
always is false (good). Still, instructions promote global and unattended installs (`-g -y`), which allow the agent (if it runs commands autonomously) to change user environment and install persistent packages without confirmation. That increases blast radius compared to a purely informational skill.
Assessment
This skill does what it says — it helps find and install other skills — but its runtime instructions tell the agent to use npx to download and install third‑party packages and even recommends global, unattended installs. Before using it: (1) Prefer to keep autonomous execution disabled for this skill (or require explicit user confirmation) so installs aren't performed without your consent. (2) Review the specific skill/package and its repository on skills.sh or GitHub before running npx install, and avoid `-g -y` if you want to confirm. (3) If you must allow installs, consider running them manually yourself or in a sandboxed environment to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97deg1st251g061e3ssvrnqr983ajtx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments