Auto Skill Hunter

The `src/hunt.js` script introduces a critical supply chain vulnerability by using `execSync` to `git clone` repositories from external `repoUrl` values fetched from `clawhub.com` and subsequently executing a self-test (`node "${indexPath}" --self-test`) on the newly installed skill's `index.js`. This allows for arbitrary code execution if ClawHub is compromised or hosts malicious skills, as there's no robust sanitization or sandboxing of the cloned code. While the skill's stated purpose is benign (auto-discovery and installation of skills), this mechanism creates a severe remote code execution risk, classifying it as suspicious due to the inherent vulnerability.