skill-search

The fragment describes a coherent and proportionate workflow for discovering and installing Claude Skill packages from public sources, with explicit user interaction and safe install primitives (git clone and file copy). However, the installation mechanism—cloning arbitrary repositories and copying contents into a global skills directory without explicit integrity verification or signing—poses a notable supply-chain risk. Strengthen the process with provenance checks (prefer official anthropics/skills, verify SKILL.md presence and format), integrity verification (hashes or signatures), optional dry-run, and explicit prompts for overwrites. Overall risk is moderate; with additional safeguards, the approach becomes more trustworthy.