Is find-skills safe?

https://clawhub.ai/JimLiuxinghai/find-skills

72
CAUTION

This skill is a package discovery and installation helper that instructs the agent to execute npx skills commands, including auto-installing packages globally with the -y (no confirmation) flag. While it contains no malicious code itself, it creates a significant supply chain attack surface by turning the agent into an automated package installer that runs unvetted code from npm. The overly broad activation triggers mean it could intercept many normal user queries.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Unvetted npx execution of third-party packages -35

The skill instructs the agent to run npx skills find [query] and npx skills add <package> -g -y, which downloads and executes arbitrary code from the npm registry. The 'skills' CLI package and any packages it installs run with full user privileges on the host machine.

HIGH Auto-install with suppressed user confirmation -30

The skill instructs the agent to use the -y flag which bypasses all confirmation prompts during package installation. Combined with -g for global install, this means the agent can silently install packages system-wide without the user explicitly approving each package.

MEDIUM Overly broad activation triggers hijack user queries -15

The skill activates on extremely broad patterns like 'how do I do X', 'can you do X', or 'Wants to search for tools, templates, or workflows'. This means many normal user queries could be intercepted and redirected toward the package installation workflow rather than direct assistance.

MEDIUM Supply chain attack amplifier -40

This skill converts an LLM agent into an automated package manager that installs code from external registries. A sophisticated attacker could typosquat popular skill names or compromise the skills.sh registry to distribute malicious packages that would be auto-installed by agents using this skill.

MEDIUM Cross-skill chaining risk -15

If another skill causes the agent to internally process a query matching the broad triggers (e.g., 'how do I do X'), this skill could activate and install packages as a side effect of another skill's operation, creating an indirect code execution chain.

LOW Indirect exfiltration via npx execution -10

While the SKILL.md itself contains no exfiltration code, any package executed via npx skills has full access to the user's filesystem, environment variables, and network. This is an indirect exfiltration vector through the skill's intended workflow.

LOW Sensitive file reads during monitoring window -15

The monitoring captured reads of .env, .aws/credentials, and auth-profiles.json. These appear to originate from the OpenClaw runtime environment rather than the skill itself, but they occurred in the same monitoring window.

INFO No embedded executable code in skill files 0

The skill contains only a markdown file, metadata JSON, and origin JSON. No scripts, hooks, submodules, symlinks, or package.json with install scripts were found. The code execution risk is entirely from the skill's instructions to the agent.