find-skills

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Suspicious: skills.sh is an unverified third‑party site that instructs users to run npx (which executes remote npm packages) and to run shell filesystem commands—both common vectors for distributing malware—so it should be treated as high risk unless the project and packages are independently verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime use of "npx skills add owner/repo@skill" which downloads and executes remote npm/git repositories (i.e., arbitrary owner/repo code that can control agent prompts and behavior) and even links to https://skills.sh/ as the source — so it relies on fetching and running external code at runtime.