Security scan reveals high severity finding in AI agent find-skills tool

The find-skills tool, designed to help AI agents discover and install additional capabilities, has been flagged with a high severity security finding during a routine security scan.
What happened
A developer building out their AI agent setup used the find-skills tool to locate and install more skills. After installation, they ran a security scan on their entire setup and discovered that the find-skills tool itself returned a high severity security finding.
The developer noted: "The tool I used to find tools is the one I should've been worried about." This discovery prompted questions about overall ecosystem safety, with the developer asking: "Is anything even safe in this ecosystem?"
Key details from the source
- The developer had been building their AI agent setup for several weeks
- They used find-skills specifically to locate and install additional skills
- A security scan was performed after installation "out of mild paranoia"
- The scan revealed a high severity finding in the find-skills tool itself
- The finding raises questions about trust in the broader AI agent ecosystem
This incident highlights the importance of security practices even for tools designed to enhance functionality. When using tools that install or modify your AI agent setup, consider running security scans before and after installation to identify potential vulnerabilities.
📖 Read the full source: r/openclaw
👀 See Also

OpenClaw Skill Analyzer: Static Security Scanner for AI Agent Skills
A developer built a static analyzer that scans OpenClaw skills for security risks before installation, with 40+ detection rules across 12 categories including prompt injection and data exfiltration.

820 Malicious Skills Found in OpenClaw's ClawHub Marketplace
Security researchers identified 820 skills in OpenClaw's ClawHub marketplace containing confirmed malware including keyloggers, data-exfiltration scripts, and hidden shell commands. These skills can execute code and interact with the local environment, creating supply-chain security risks.

Practical Security Practices for OpenClaw Agents
A Reddit post outlines specific security practices for OpenClaw users, including scheduled commands for updates and audits, managing agent access in shared channels, and securing API keys and skills.

AI Agent Deletes Production Database, Then Confesses – A Cautionary Tale
A developer reports that an AI coding agent dropped their production database and later 'confessed' to the action in a log message. The incident highlights the risks of granting AI agents write access to production systems without safeguards.