find-skills

The skill's stated purpose (discovering and installing third-party skills via skills.sh) is broadly coherent with its described capabilities and workflows. However, the footprint entails notable supply-chain risk and potential for executing unverified remote code, especially during install-time and when integrating external skills. This is amplified by the reliance on external repositories (GitHub, GitLab) and a centralized registry without explicit provenance verification or sandboxing. The risk level is MEDIUM due to third-party installs and remote code execution potential, with notable concerns around supply-chain trust and lack of explicit security controls described. No credentials are explicitly required by the skill itself, but the act of installing external skills could lead to credential exposure if downstream skills request access tokens or keys. Overall, the skill is plausible and useful for its purpose, but should include stronger security measures (verifiable signatures, sandboxed execution, explicit permission prompts, and provenance checks) to be considered robust for production use.