AI Skills
skill-install

skill-install

Popüler

Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment.

2Kyıldız
238fork
Güncellendi 1/22/2026
AlKaynak Kod
SKILL.md
readonlyread-only
name
skill-install
description

Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment.

Skill Install

Overview

Install Claude skills from GitHub repositories with built-in security scanning to protect against malicious code, backdoors, and vulnerabilities.

When to Use

Trigger this skill when the user:

  • Provides a GitHub repository URL and wants to install skills
  • Asks to "install skills from GitHub"
  • Wants to browse and select skills from a repository
  • Needs to add new skills to their Claude environment

Workflow

Step 1: Parse GitHub URL

Accept a GitHub repository URL from the user. The URL should point to a repository containing a skills/ directory.

Supported URL formats:

  • https://github.com/user/repo
  • https://github.com/user/repo/tree/main/skills
  • https://github.com/user/repo/tree/branch-name/skills

Extract:

  • Repository owner
  • Repository name
  • Branch (default to main if not specified)

Step 2: Fetch Skills List

Use the WebFetch tool to retrieve the skills directory listing from GitHub.

GitHub API endpoint pattern:

https://api.github.com/repos/{owner}/{repo}/contents/skills?ref={branch}

Parse the response to extract:

  • Skill directory names
  • Each skill should be a subdirectory containing a SKILL.md file

Step 3: Present Skills to User

Use the AskUserQuestion tool to let the user select which skills to install.

Set multiSelect: true to allow multiple selections.

Present each skill with:

  • Skill name (directory name)
  • Brief description (if available from SKILL.md frontmatter)

Step 4: Fetch Skill Content

For each selected skill, fetch all files in the skill directory:

  1. Get the file tree for the skill directory
  2. Download all files (SKILL.md, scripts/, references/, assets/)
  3. Store the complete skill content for security analysis

Use WebFetch with GitHub API:

https://api.github.com/repos/{owner}/{repo}/contents/skills/{skill_name}?ref={branch}

For each file, fetch the raw content:

https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path}

Step 5: Security Scan

CRITICAL: Before installation, perform a thorough security analysis of each skill.

Read the security scan prompt template from references/security_scan_prompt.md and apply it to analyze the skill content.

Examine for:

  1. Malicious Command Execution - eval, exec, subprocess with shell=True
  2. Backdoor Detection - obfuscated code, suspicious network requests
  3. Credential Theft - accessing ~/.ssh, ~/.aws, environment variables
  4. Unauthorized Network Access - external requests to suspicious domains
  5. File System Abuse - destructive operations, unauthorized writes
  6. Privilege Escalation - sudo attempts, system modifications
  7. Supply Chain Attacks - suspicious package installations

Output the security analysis with:

  • Security Status: SAFE / WARNING / DANGEROUS
  • Risk Level: LOW / MEDIUM / HIGH / CRITICAL
  • Detailed findings with file locations and severity
  • Recommendation: APPROVE / APPROVE_WITH_WARNINGS / REJECT

Step 6: User Decision

Based on the security scan results:

If SAFE (APPROVE):

  • Proceed directly to installation

If WARNING (APPROVE_WITH_WARNINGS):

  • Display the security warnings to the user
  • Use AskUserQuestion to confirm: "Security warnings detected. Do you want to proceed with installation?"
  • Options: "Yes, install anyway" / "No, skip this skill"

If DANGEROUS (REJECT):

  • Display the critical security issues
  • Refuse to install
  • Explain why the skill is dangerous
  • Do NOT provide an option to override for CRITICAL severity issues

Step 7: Install Skills

For approved skills, install to ~/.claude/skills/:

  1. Create the skill directory: ~/.claude/skills/{skill_name}/
  2. Write all skill files maintaining the directory structure
  3. Ensure proper file permissions (executable for scripts)
  4. Verify SKILL.md exists and has valid frontmatter

Use the Write tool to create files.

Step 8: Confirmation

After installation, provide a summary:

  • List of successfully installed skills
  • List of skipped skills (if any) with reasons
  • Location: ~/.claude/skills/
  • Next steps: "The skills are now available. Restart Claude or use them directly."

Example Usage

User: "Install skills from https://github.com/example/claude-skills"

Assistant:

  1. Fetches skills list from the repository
  2. Presents available skills: "skill-a", "skill-b", "skill-c"
  3. User selects "skill-a" and "skill-b"
  4. Performs security scan on each skill
  5. skill-a: SAFE - proceeds to install
  6. skill-b: WARNING (makes HTTP request) - asks user for confirmation
  7. Installs approved skills to ~/.claude/skills/
  8. Confirms: "Successfully installed: skill-a, skill-b"

Security Notes

  • Never skip security scanning - Always analyze skills before installation
  • Be conservative - When in doubt, flag as WARNING and let user decide
  • Critical issues are blocking - CRITICAL severity findings cannot be overridden
  • Transparency - Always show users what was found during security scans
  • Sandboxing - Remind users that skills run with Claude's permissions

Resources

references/security_scan_prompt.md

Contains the detailed security analysis prompt template with:

  • Complete list of security categories to check
  • Output format requirements
  • Example analyses for safe, suspicious, and dangerous skills
  • Decision criteria for APPROVE/REJECT recommendations

Load this file when performing security scans to ensure comprehensive analysis.

You Might Also Like

Related Skills

create-pr

create-pr

170Kdev-devops

Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.

n8n-io avatarn8n-io
Al
electron-chromium-upgrade

electron-chromium-upgrade

120Kdev-devops

Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.

electron avatarelectron
Al
pr-creator

pr-creator

92Kdev-devops

Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.

google-gemini avatargoogle-gemini
Al
clawdhub

clawdhub

87Kdev-devops

Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.

moltbot avatarmoltbot
Al
tmux

tmux

87Kdev-devops

Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.

moltbot avatarmoltbot
Al
create-pull-request

create-pull-request

57Kdev-devops

Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.

cline avatarcline
Al