Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
Security Analysis
medium confidenceThe skill's description matches its instructions (it uses the Skills CLI to find and install skills), but the runtime guidance encourages executing third‑party code via npx and installing packages globally with -y (skipping prompts), which raises safety concerns that the metadata does not address.
The name/description (find and install skills) align with the SKILL.md: it documents using the 'npx skills' CLI and skills.sh to search and add skills. Nothing requested in metadata (no creds, no binaries) conflicts with that purpose.
Instructions are focused on searching and installing skills via 'npx skills'. They do not request reading local files or unrelated environment variables. However, they explicitly suggest running 'npx skills add <pkg> -g -y' (global install, auto-confirm) which instructs the agent to fetch and run remote code without interactive confirmation — a behavior that broadens runtime authority and risk.
There is no install spec in the skill bundle (instruction-only), but the runtime workflow depends on npx (npm) to fetch/execute packages from the public registry and GitHub. Using npx/npmpackages means arbitrary remote code will be executed at runtime if the agent follows the instructions — this is expected for a finder/installer but is a higher-risk operation than purely local actions.
The skill requests no environment variables, credentials, or config paths. That is proportionate to a discovery/install helper.
The SKILL.md encourages global installs (-g) and auto-confirmation (-y). While the skill metadata does not force always:true, following the instructions would persist third‑party code system‑wide and could be performed without explicit user re-confirmation if the agent is allowed to run shell commands. This combination increases the blast radius of any malicious third‑party skill installed.
Guidance
This skill is coherent for finding and adding skills, but exercising caution is important before allowing it to install anything. npx will fetch and execute code from npm/GitHub — review the exact package and its source before installing. Avoid global installs and auto-confirm (-g -y) unless you trust the package owner; prefer showing the install command to the user and asking for explicit permission. If you want stricter controls, disallow autonomous shell execution for the agent or require manual approval for any npx/npm install operations. Verify links on skills.sh and prefer well-known authors/repos when installing new skills.
Latest Release
v0.1.0
- Initial release of the find-skills skill. - Helps users discover and install agent skills when looking for new functionality or extending agent capabilities. - Provides clear guidance on searching for, presenting, and installing skills using Skills CLI commands. - Includes examples and tips for effective skill discovery across common categories like web development, testing, and DevOps. - Offers fallback options when no relevant skills are found, including help with tasks directly and guidance on creating new skills.
Popular Skills
Published by @JimLiuxinghai on ClawHub
