← Back to Skills Marketplace
krislavten

@kanyun/rush-find-skills

by Kris · GitHub ↗ · v0.3.2
cross-platform ⚠ suspicious
612
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install rush-find-skills
Description
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...
Usage Guidance
This skill is coherent with a 'find and install skills' purpose, but check a few things before installing or running it: 1) Verify the registry — the SKILL.md defaults to https://rush.zhenguanyu.com (a third-party registry). If you don't trust that host, override the registry explicitly or refuse installs from it. 2) Be cautious about using npx or installing reskill globally: those commands will fetch and execute remote code. Prefer reviewing the reskill project source and the specific skill package before installation. 3) Note the metadata mismatches (SKILL.md name/version/author differ from the registry metadata) and the undeclared RESKILL_REGISTRY env var — ask the publisher to clarify. 4) Ensure the agent asks for your explicit approval before any install (the doc says it should, but verify behavior). If you need higher assurance, test searches without installing, or run reskill commands yourself in an isolated environment and inspect any candidate skill code before installation.
Capability Analysis
Type: OpenClaw Skill Name: rush-find-skills Version: 0.3.2 The skill is classified as suspicious due to its explicit instructions for the AI agent to perform high-risk operations, including direct shell command execution (`npm`, `npx`, `which`, `reskill`, `mkdir`, `echo`), reading environment variables (`RESKILL_REGISTRY`), and scanning the file system for configuration files (`skills.json`) and agent directories (`.cursor/`, `.claude/`). While these actions are presented as necessary for the stated purpose of finding and installing skills via the `reskill` package manager, they introduce a significant attack surface. A lack of robust input sanitization by the agent when constructing commands from user input or discovered data could lead to shell injection or unauthorized file access, even though the `SKILL.md` itself does not instruct malicious intent.
Capability Assessment
Purpose & Capability
The SKILL.md behavior (searching and installing skills via the reskill CLI) aligns with the declared purpose (finding/installing skills). However there are small inconsistencies: the SKILL.md top-level name/version/author (clawdhub-find-skills, v0.4.0, author=reskill) does not match the registry metadata (owner: kn7..., slug: rush-find-skills, version 0.3.2). These mismatches could indicate stale or copied documentation or sloppy packaging and should be verified.
Instruction Scope
The instructions tell the agent to run the reskill CLI (or fall back to npx reskill@latest) and to consult RESKILL_REGISTRY and defaults.publishRegistry in skills.json. The skill metadata declares no required environment variables, yet the doc expects RESKILL_REGISTRY to be used if present — this is an undeclared environment access. The SKILL.md otherwise follows a narrow workflow (search → present → ask → install) and explicitly recommends asking user consent before installing.
Install Mechanism
This is an instruction-only skill (no install spec). It recommends installing/using an external package (reskill) and falling back to npx, which will download and run remote code from a registry. That behavior is expected for a package-manager-style skill, but the doc's default registry is a third-party URL (https://rush.zhenguanyu.com) rather than a well-known, broadly-trusted host — this raises a supply-chain risk because installed skills come from that registry.
Credentials
The skill requests no credentials or sensitive env vars in its metadata, which is proportionate. However SKILL.md references RESKILL_REGISTRY (an env var) and defaults.publishRegistry in skills.json without declaring them as required; this discrepancy should be clarified. No other sensitive system paths or credentials are requested.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system-wide settings in the instructions, and relies on user consent before installing other skills. Autonomous invocation is allowed by platform default but is not combined with high privileges here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install rush-find-skills
  3. After installation, invoke the skill by name or use /rush-find-skills
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.2
- Expanded documentation on trust and security; clarified why the Rush registry is used by default and how registry selection works. - Added instructions to prefer globally installed `reskill` CLI, falling back to `npx` only if needed. - Improved and streamlined guidance on resolving registries and command examples. - No functional code changes—documentation only.
v0.3.1
Version 0.4.0 - Added direct skill recommendations for common intents (e.g., creating/publishing skills now recommends @kanyun/rush-reskill-usage without searching). - Extended usage scenarios to include "create, write, or publish a skill to a registry." - Updated guidance to skip registry searches and proceed directly to install when well-known intents are detected. - Step-by-step instructions and workflow remain unchanged for all other queries.
v0.3.0
init-commit
Metadata
Slug rush-find-skills
Version 0.3.2
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is @kanyun/rush-find-skills?

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express... It is an AI Agent Skill for Claude Code / OpenClaw, with 612 downloads so far.

How do I install @kanyun/rush-find-skills?

Run "/install rush-find-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is @kanyun/rush-find-skills free?

Yes, @kanyun/rush-find-skills is completely free (open-source). You can download, install and use it at no cost.

Which platforms does @kanyun/rush-find-skills support?

@kanyun/rush-find-skills is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created @kanyun/rush-find-skills?

It is built and maintained by Kris (@krislavten); the current version is v0.3.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments