Is jimliuxinghai/find-skills safe?

https://github.com/openclaw/skills/tree/main/skills/jimliuxinghai/find-skills

77
CAUTION

This skill is a markdown-only document with no embedded executable code and a clean installation footprint; its direct security posture is low-risk. The meaningful concerns are behavioral: the skill instructs agents to run 'npx skills add -g -y' which bypasses user confirmation and installs globally, and as a 'skill that installs skills' it functions as a second-order supply chain multiplier where any compromise of the skills.sh ecosystem or npm 'skills' package propagates automatically. Users who install this skill should be aware they are enabling an agent capability that can install additional code without per-install approval.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Auto-install bypasses user confirmation with global scope -30

The skill explicitly instructs the agent to run 'npx skills add <owner/repo@skill> -g -y' when installing recommended skills. The -y flag skips all confirmation prompts entirely, and -g installs to the user's global node_modules. This means the agent can install arbitrary npm-backed skill packages without any user approval step, creating a fully automated code execution pathway from a skill recommendation to system-level installation.

HIGH Second-order supply chain multiplier -40

A skill whose primary function is installing other skills creates a compounding supply chain risk. If the 'skills' npm package, the skills.sh directory, or any recommended skill repository is compromised by a malicious actor, this skill serves as the propagation mechanism to all agent users who have installed it. The -y bypass means there is no friction step where a user might notice anomalous behavior before code runs.

MEDIUM npx executes remote code without version pinning -20

All skill discovery and installation is driven through 'npx skills' which downloads the latest version of the 'skills' npm package on each invocation. Without a pinned version or integrity check, a supply chain compromise of the 'skills' package on npm would silently affect all subsequent runs of this skill's recommended commands.

MEDIUM Overly broad proactive trigger conditions -22

The skill activates on extremely general conditions: 'how do I do X', 'can you do X', and 'expresses interest in extending capabilities'. This risks the agent initiating skill searches and offering installation flows in contexts the user did not intend, normalizing skill installation as a response to ordinary questions and potentially exposing users to skills they have not evaluated.

LOW Canary credential files read during install window -15

All six canary/honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at 11:59:07, approximately 5 seconds before the git clone began. Timing analysis strongly suggests these reads are attributable to the audit framework's canary initialization phase rather than the skill being installed. Canary integrity confirmed files are unmodified. Flagged for completeness.

LOW Agent directed to third-party domain for skill browsing -10

The skill instructs the agent to present links to skills.sh, a domain controlled by the skill ecosystem operator rather than the user or a neutral party. The agent is told to generate links of the form 'https://skills.sh///' and direct users there. This is a mild concern as the agent is trained to trust and surface content from this domain.

INFO Clean sparse checkout with expected network behavior 0

The install process performed a clean sparse git checkout targeting only 'skills/jimliuxinghai/find-skills' from the monorepo. All network activity during the install was limited to GitHub (140.82.121.3:443) and DNS. No unexpected processes, no writes outside the target directory, no connections to attacker-controlled infrastructure.