find-skills

[Skill Scanner] Natural language instruction to download and install from URL detected The skill fragment is consistent with its stated purpose: it describes a legitimate discovery and install workflow for open-agent-skills. While the approach is normal for extensible tool ecosystems, it hinges on user trust and verification of external scripts and sources. No malicious behavior is evident in the fragment itself, but users should exercise caution when executing external install scripts to avoid supply-chain risks. LLM verification: The SKILL.md file is benign informational documentation describing how to find and install agent skills. There is no embedded malicious code in the provided text. However, the documented workflow directs users to fetch and execute third-party code (via `npx` and a bash install script), which is an intrinsic software supply-chain and arbitrary code-execution risk. Recommend adding explicit verification and sandboxing guidance to the documentation and treating installs from unvetted sources as pot