ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

0· 96·0 current·0 all-time
by@zachary2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md are consistent: the skill helps discover and install agent skills. Minor inconsistency: the instructions rely on npx (Node/npm) but the metadata lists no required binaries.
Instruction Scope
Instructions stay within the stated purpose (searching and installing skills) and do not request unrelated files or env vars. They do recommend running 'npx skills add ... -g -y' which installs packages globally and suppresses prompts — a behavior that could cause changes without explicit local confirmation if executed automatically.
Install Mechanism
This is an instruction-only skill with no install spec or code. However, it relies on npx to fetch packages from the registry/remote repos at runtime; using npx to run arbitrary packages can pull and execute remote code and should be treated as a supply‑chain risk.
Credentials
The skill declares no environment variables, credentials, or config paths. No unexplained secrets are requested.
!
Persistence & Privilege
always is false and the skill is user-invocable, which is appropriate, but the guidance to install skills globally with '-g -y' could allow the agent (if permitted) to perform unattended global installs. Combined with platform-default autonomous invocation, this increases the blast radius if the agent is allowed to run commands without explicit user confirmation.
What to consider before installing
This skill is coherent with its stated purpose, but it tells the agent to use 'npx' to fetch and globally install third‑party packages and even suggests '-g -y' to skip confirmations. Before installing anything: (1) ensure Node/npm/npx are present locally (the skill metadata doesn't declare this); (2) verify the skill's source repository and popularity (installs/stars) before installing; (3) avoid running global installs with -y unless you trust the package; prefer local or sandboxed installs; (4) require explicit, user-initiated confirmation before any install; and (5) treat npx as a potential supply-chain vector — inspect the package repo or installation artifacts when possible. If you want the agent to install skills for you, limit it to presenting commands and require you to run them manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arcaycvbprz2bka5jzhxqmx84h93s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments