find-skills

The skill fragment is internally consistent with its stated purpose of helping users discover and install open agent skills. It references legitimate workflows (npx skills find/add) and points to an external registry (skills.sh). There are no credential exposures, no embedded malware, and no suspicious data exfiltration patterns within the fragment itself. The primary supply-chain risk is the usual risk inherent in installing external skills (trust in sources, potential supply-chain risk of installed skills). Overall risk is ongoing but not inherently malicious in this fragment; treat as SUSPICIOUS/LOW-MED relative to supply-chain risk due to external installs, but not malicious by itself.