find-skills

The material is a benign user-oriented guide to discovering and installing community 'skills', but it prescribes high-risk operational patterns: unpinned npx download-and-execute, global and automated installs, and implicit encouragement of running elevated shells. These are established supply-chain and privilege-escalation vectors. No explicit malicious code or hard-coded secrets are present in the provided fragment, but use of the recommended commands can expose hosts to malicious packages or post-install scripts. Recommended mitigations: avoid unpinned npx installs, require pinned versions and integrity checks, avoid global and automated `-y` installs in documentation, warn users about privilege elevation, and advise verifying package publisher and reviewing package source before installing.