📦 Find Skill — 技能速搜
v1.0.0当用户提出“怎么做X”“找能做X的技能”“有没有技能可以…”等需求时,自动检索并推荐最匹配的 Agent 技能,实现一键发现与安装。
14· 1.5万·178 当前·186 累计
by 下载技能包
最后更新
2026/3/6
安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions match its stated purpose (finding and installing other skills) but they instruct the agent to run npx installs (including global, unattended installs) without requiring or documenting the npx/npm binary, and that enables the agent to pull and run arbitrary third‑party code — this is coherent with the purpose but raises security concerns the user should understand before proceeding.
评估建议
This skill is what it says: a helper that runs the 'skills' CLI via npx to find and add other skills. Before using it, ensure you: (1) have npx/npm and understand what 'npx skills add' will do on your system; (2) do not allow unattended/global installs (-g -y) unless you trust the package source; (3) review the target skill's repository or package before installing (look for code, maintainer, popularity, and permissions); (4) prefer local or sandboxed installs rather than global installs; and (5...详细分析 ▾
ℹ 用途与能力
The name/description match the SKILL.md: the skill is an instruction-only assistant that uses the 'skills' CLI (npx skills) to find and add skills. However the skill declares no required binaries while the runtime guidance assumes npx/npm is available — a minor mismatch that should be documented or enforced.
⚠ 指令范围
Instructions ask the agent to run 'npx skills find' and 'npx skills add', and to use 'npx skills add <owner/repo@skill> -g -y' to install globally and skip confirmations. That is within the stated purpose (discover/install skills) but grants the agent the ability to download and execute arbitrary third‑party packages silently; the SKILL.md does not instruct reviewing package source or permissions.
ℹ 安装机制
This skill is instruction-only (no install spec and no code files) which is low-risk. But the recommended install mechanism (npx skills add) will fetch code from remote sources (GitHub/registry) when used — the skill itself does not restrict or advise vetting those downloads.
✓ 凭证需求
The skill requests no environment variables, credentials, or special config paths — nothing appears disproportionate in declared env/cred requirements.
⚠ 持久化与权限
always is false (good) but the platform default allows autonomous invocation. Combined with instructions to install arbitrary skills (including global, unattended installs), this increases the blast radius: an agent that can run commands could install other skills which themselves can run code. The SKILL.md does not recommend safeguards (user confirmation, sandboxing, review).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/6
- Initial release of the "find-skills" skill. - Helps users discover and install agent skills based on their queries (e.g., "how do I do X?"). - Provides guidance on using the Skills CLI (`npx skills`) for searching and installing skills. - Includes examples, tips for effective searches, and common categories to assist users. - Offers instructions for situations when no suitable skills are found.
● 无害
安装命令
点击复制官方npx clawhub@latest install find-skill
镜像加速npx clawhub@latest install find-skill --registry https://cn.longxiaskill.com