find-skills

The 'find-skills' skill is functionally appropriate for discovering and recommending agent skills, but it promotes high-risk supply-chain and autonomy behaviors: unpinned installs, global unattended installs (-g -y), and delegation to an unverified installer. There is no explicit malicious code in the provided text, but following its recommendations without mitigation creates a significant attack surface for supply-chain compromise and untrusted code execution. Recommended mitigations: require explicit per-install human confirmation, avoid '-g -y' in automated flows, pin install commands to commit SHAs or use checksums, validate publisher identity, sandbox or limit installer privileges, and log/notify users of any install operations.