skill-install
- Repo stars 2,670
- Author updated Live
- Author repo myclaude
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @stellarlinkco · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Env read
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-install
description: Install Claude skills from GitHub repositories with automated security scanning. Triggers when u…
category: security
runtime: no special runtime
---
# skill-install output preview
## PART A: Task fit
- Use case: Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / When to Use / Workflow” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment.”.
- **02** When the source has headings, the agent prioritizes “Overview / When to Use / Workflow” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands, read environment variables; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands, read environment variables; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands, read environment variables.
Start with a small task and check whether the result follows “Overview / When to Use / Workflow”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-install
description: Install Claude skills from GitHub repositories with automated security scanning. Triggers when u…
category: security
source: stellarlinkco/myclaude
---
# skill-install
## When to use
- Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install s…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / When to Use / Workflow” and keep inference separate from source facts.
- read files, write/modify files, run shell commands, read environment variables; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-install" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / When to Use / Workflow
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands, read environment variables | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Skill Install
Overview
Install Claude skills from GitHub repositories with built-in security scanning to protect against malicious code, backdoors, and vulnerabilities.
When to Use
Trigger this skill when the user:
- Provides a GitHub repository URL and wants to install skills
- Asks to "install skills from GitHub"
- Wants to browse and select skills from a repository
- Needs to add new skills to their Claude environment
Workflow
Step 1: Parse GitHub URL
Accept a GitHub repository URL from the user. The URL should point to a repository containing a skills/ directory.
Supported URL formats:
https://github.com/user/repohttps://github.com/user/repo/tree/main/skillshttps://github.com/user/repo/tree/branch-name/skills
Extract:
- Repository owner
- Repository name
- Branch (default to
mainif not specified)
Step 2: Fetch Skills List
Use the WebFetch tool to retrieve the skills directory listing from GitHub.
GitHub API endpoint pattern:
https://api.github.com/repos/{owner}/{repo}/contents/skills?ref={branch}
Parse the response to extract:
- Skill directory names
- Each skill should be a subdirectory containing a SKILL.md file
Step 3: Present Skills to User
Use the AskUserQuestion tool to let the user select which skills to install.
Set multiSelect: true to allow multiple selections.
Present each skill with:
- Skill name (directory name)
- Brief description (if available from SKILL.md frontmatter)
Step 4: Fetch Skill Content
For each selected skill, fetch all files in the skill directory:
- Get the file tree for the skill directory
- Download all files (SKILL.md, scripts/, references/, assets/)
- Store the complete skill content for security analysis
Use WebFetch with GitHub API:
https://api.github.com/repos/{owner}/{repo}/contents/skills/{skill_name}?ref={branch}
For each file, fetch the raw content:
https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path}
Step 5: Security Scan
CRITICAL: Before installation, perform a thorough security analysis of each skill.
Read the security scan prompt template from references/security_scan_prompt.md and apply it to analyze the skill content.
Examine for:
- Malicious Command Execution - eval, exec, subprocess with shell=True
- Backdoor Detection - obfuscated code, suspicious network requests
- Credential Theft - accessing ~/.ssh, ~/.aws, environment variables
- Unauthorized Network Access - external requests to suspicious domains
- File System Abuse - destructive operations, unauthorized writes
- Privilege Escalation - sudo attempts, system modifications
- Supply Chain Attacks - suspicious package installations
Output the security analysis with:
- Security Status: SAFE / WARNING / DANGEROUS
- Risk Level: LOW / MEDIUM / HIGH / CRITICAL
- Detailed findings with file locations and severity
- Recommendation: APPROVE / APPROVE_WITH_WARNINGS / REJECT
Step 6: User Decision
Based on the security scan results:
If SAFE (APPROVE):
- Proceed directly to installation
If WARNING (APPROVE_WITH_WARNINGS):
- Display the security warnings to the user
- Use AskUserQuestion to confirm: "Security warnings detected. Do you want to proceed with installation?"
- Options: "Yes, install anyway" / "No, skip this skill"
If DANGEROUS (REJECT):
- Display the critical security issues
- Refuse to install
- Explain why the skill is dangerous
- Do NOT provide an option to override for CRITICAL severity issues
Step 7: Install Skills
For approved skills, install to ~/.claude/skills/:
- Create the skill directory:
~/.claude/skills/{skill_name}/ - Write all skill files maintaining the directory structure
- Ensure proper file permissions (executable for scripts)
- Verify SKILL.md exists and has valid frontmatter
Use the Write tool to create files.
Step 8: Confirmation
After installation, provide a summary:
- List of successfully installed skills
- List of skipped skills (if any) with reasons
- Location:
~/.claude/skills/ - Next steps: "The skills are now available. Restart Claude or use them directly."
Example Usage
User: "Install skills from https://github.com/example/claude-skills"
Assistant:
- Fetches skills list from the repository
- Presents available skills: "skill-a", "skill-b", "skill-c"
- User selects "skill-a" and "skill-b"
- Performs security scan on each skill
- skill-a: SAFE - proceeds to install
- skill-b: WARNING (makes HTTP request) - asks user for confirmation
- Installs approved skills to ~/.claude/skills/
- Confirms: "Successfully installed: skill-a, skill-b"
Security Notes
- Never skip security scanning - Always analyze skills before installation
- Be conservative - When in doubt, flag as WARNING and let user decide
- Critical issues are blocking - CRITICAL severity findings cannot be overridden
- Transparency - Always show users what was found during security scans
- Sandboxing - Remind users that skills run with Claude's permissions
Resources
references/security_scan_prompt.md
Contains the detailed security analysis prompt template with:
- Complete list of security categories to check
- Output format requirements
- Example analyses for safe, suspicious, and dangerous skills
- Decision criteria for APPROVE/REJECT recommendations
Load this file when performing security scans to ensure comprehensive analysis.
Decide Fit First
Design Intent
How To Use It
Boundaries And Review