install-skill
Facilitates the installation of newly authored skills into AI coding agents, ensuring proper symlink and GitHub integration.
Install this skill
or
58/100
Security score
The install-skill skill was audited on May 31, 2026 and we found 10 security issues across 1 threat category. Review the findings below before installing.
Categories Tested
Security Issues
medium line 3
Access to hidden dotfiles in home directory
SourceSKILL.md
| 3 | description: Install a freshly authored skill into ~/skills/ (the source-of-truth repo), symlink it into the active agent directories (~/.claude/skills/, ~/.cursor/skills/), and commit + push to the c |
medium line 10
Access to hidden dotfiles in home directory
SourceSKILL.md
| 10 | The user's setup uses **`~/skills/` as the single source of truth**. Agent directories (`~/.claude/skills/`, `~/.cursor/skills/`) hold only symlinks pointing back here. Never copy a skill into the age |
medium line 18
Access to hidden dotfiles in home directory
SourceSKILL.md
| 18 | | `~/skills/bin/sync.sh` | Symlinks `~/skills/*` into `~/.claude/skills/` and/or `~/.cursor/skills/` | |
medium line 19
Access to hidden dotfiles in home directory
SourceSKILL.md
| 19 | | `~/.claude/skills/<name>` | Symlink → `~/skills/<name>/` | |
medium line 20
Access to hidden dotfiles in home directory
SourceSKILL.md
| 20 | | `~/.cursor/skills/<name>` | Symlink → `~/skills/<name>/` | |
low line 67
Access to hidden dotfiles in home directory
SourceSKILL.md
| 67 | ls -la ~/.claude/skills/<skill-name> # should show -> /Users/henry/skills/<skill-name>/ |
low line 68
Access to hidden dotfiles in home directory
SourceSKILL.md
| 68 | ls -la ~/.cursor/skills/<skill-name> |
medium line 94
Access to hidden dotfiles in home directory
SourceSKILL.md
| 94 | - **Symlink already points to `~/.agents/skills/<name>`.** That's the legacy npx-install path. `sync.sh` will replace it — `~/skills/` is now the canonical home. Confirm with the user before clobberin |
medium line 95
Access to hidden dotfiles in home directory
SourceSKILL.md
| 95 | - **Real directory at the target.** `sync.sh` refuses to overwrite a real directory at `~/.claude/skills/<name>`. Inspect it; if it's a bundled-skill package (e.g. `claude-skills-weekly`), leave it al |
medium line 108
Access to hidden dotfiles in home directory
SourceSKILL.md
| 108 | - **Skill not picked up after restart.** Confirm the symlink resolves (`readlink ~/.claude/skills/<name>`), confirm frontmatter parses, and check `~/.claude/settings.json` doesn't disable skill loadin |
Scanned on May 31, 2026
View Security Dashboard