← Back to Skills Marketplace
109
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install smart-skill-finder
Description
Finds and recommends relevant AI agent skills across multiple ecosystems (Skills CLI, Clawhub, GitHub) using intelligent semantic understanding to match user...
Usage Guidance
What to check before installing/using this skill:
1) Review and sanitize inputs: the Skills-CLI search runs via subprocess.run with shell=True using user-derived text. If you or the agent runs this code on arbitrary user input, command-injection is possible. Prefer escaping or using a list form for subprocess or otherwise sanitizing the query string.
2) Verify claimed features: the README/SKILL.md advertise semantic-model based understanding, VirusTotal checks, and workspace/memory integration, but the code uses simple keyword matching and I found no VirusTotal or local workspace reads. Treat those claims as marketing until the author provides evidence or code updates.
3) Be cautious with browser automation: the browser discovery code assumes a browser_controller and will drive a browser (open pages, type, press keys). Only run this in a controlled environment and avoid passing credentials or sensitive context to it.
4) Installation commands are returned (git clone, npx, clawhub). Do not execute them automatically — inspect sources (GitHub repo, author) before cloning/running third-party skills. Consider cloning into a sandboxed VM/container and scanning the repo before use.
5) If you plan to run this skill in production or allow it to be invoked autonomously, request the author to:
- Remove shell=True usage or properly escape/validate user inputs; use subprocess.run([...]) list form.
- Make security-scanning calls explicit (show how VirusTotal/OpenClaw are queried and where API keys would be stored if needed).
- Document the browser_controller contract and provide safe default behavior.
Given these issues (misleading claims + a real shell-injection pattern), review and remediation are recommended before trusting the skill in an environment with sensitive data or in which the agent can run code autonomously.
Capability Analysis
Type: OpenClaw Skill
Name: smart-skill-finder
Version: 1.0.0
The skill bundle contains a shell injection vulnerability in 'scripts/ecosystems.py' within the 'search_skills_cli' function. User-provided keywords are embedded directly into a command string executed via 'subprocess.run' with 'shell=True', allowing for arbitrary command execution if the input contains shell metacharacters (e.g., double quotes). While the skill's logic for discovering agent skills across Clawhub, GitHub, and Skills CLI appears legitimate and well-documented, this implementation flaw poses a significant security risk.
Capability Assessment
Purpose & Capability
The code implements multi-ecosystem search (Clawhub, Skills CLI, GitHub) and returns install commands — this aligns with the stated purpose. However the README/SKILL.md claim higher-level features ("OpenClaw's semantic understanding", VirusTotal security checks, workspace/memory integration, learning over time) that are not actually implemented in the provided code (the query understanding is simple keyword matching). The mismatch between claimed semantic capabilities and the simple keyword logic is an over‑claim, not outright malicious, but it's misleading.
Instruction Scope
SKILL.md promises read-only, safe behavior and says it never executes installs automatically — the implementation appears to respect that (it formats install commands rather than running them). However the ecosystems module executes external commands to search the Skills CLI using subprocess.run with shell=True and a command string constructed from user queries (e.g., `npx skills find "{search_terms}" --json`). Because search_terms are derived from the user query with minimal escaping, this creates a command‑injection risk if that code is invoked with untrusted input. The code also includes browser automation logic that assumes a browser_controller interface and will drive a browser snapshot/type/press_key flow; that can interact with remote sites and scrape content. Additionally, the skill claims workspace awareness and memory integration but I see no file-reading or memory calls in the code — this is a scope mismatch.
Install Mechanism
There is no install spec and no packaged native installer — the skill is included as code files (no external downloads during install). That lowers install-time risk. The code does build install commands (git clone, npx add, clawhub install) but those are only returned to the user, not executed by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However documentation references (VirusTotal/OpenClaw security scanning) are present even though I found no code calling VirusTotal or other security services. Also GitHub API calls are made unauthenticated (no token requested), which is reasonable but may be rate-limited; nothing in the repo requests unrelated credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and doesn't write persistent configuration as part of an install spec. It returns install commands but does not, in the provided code, automatically run them or persist credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install smart-skill-finder - After installation, invoke the skill by name or use
/smart-skill-finder - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Smart Skill Finder — an intelligent skill discovery tool for AI agents.
- Finds and recommends relevant AI agent skills using semantic understanding of user requests.
- Searches across multiple ecosystems (Skills CLI, Clawhub, GitHub) and ranks by relevance.
- Provides verified, secure installation guidance and highlights security status where available.
- Handles nuanced natural language queries and works reliably even if some sources are offline.
- Limits results to the top 3 most relevant skills for clear, actionable recommendations.
Metadata
Frequently Asked Questions
What is Smart Skill Finder?
Finds and recommends relevant AI agent skills across multiple ecosystems (Skills CLI, Clawhub, GitHub) using intelligent semantic understanding to match user... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.
How do I install Smart Skill Finder?
Run "/install smart-skill-finder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Smart Skill Finder free?
Yes, Smart Skill Finder is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Smart Skill Finder support?
Smart Skill Finder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Smart Skill Finder?
It is built and maintained by Eron (@edkuo7); the current version is v1.0.0.
More Skills