Skills
skills/joelhooks/openclaw-codex-ralph/find-skills/Gen Agent Trust Hub

find-skills

Pass

Audited by Gen Agent Trust Hub on Feb 26, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches skill metadata from the skills.sh registry and downloads package content from GitHub repositories. It references both trusted organizations like vercel-labs and third-party sources.
  • [COMMAND_EXECUTION]: Utilizes the npx skills CLI for package management, including the use of the -y flag to bypass confirmation prompts.
  • [REMOTE_CODE_EXECUTION]: Facilitates the download and execution of external scripts from remote repositories as its primary purpose.
  • [PROMPT_INJECTION]: The processing of untrusted search results from an external registry creates a surface for indirect prompt injection. 1. Ingestion points: Output from the npx skills find command. 2. Boundary markers: None; search results are presented directly. 3. Capability inventory: Shell execution of the npx skills tool suite. 4. Sanitization: No validation or filtering is performed on external metadata before presentation or use.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 26, 2026, 08:38 AM