find-skills

This skill is a discovery-and-installation helper that documents how to find and install third-party agent skills using the Skills CLI (npx skills). The content itself contains no direct malicious code or hardcoded secrets, but it encourages download-and-execute installation of remote packages and explicitly recommends global, unattended installs (-g -y). That pattern creates a meaningful supply-chain and transitive trust risk: installing untrusted skills can run arbitrary install scripts, access local credentials, and install further code. The primary risk is operational (supply-chain and transitive install risk) rather than contained malware in this file. Recommend adding explicit safety guidance: verify publisher/repos, pin to versions/commits with checksums, avoid unattended global installs, and run installs in a sandboxed environment or with restricted permissions.