skill-fetch
skill-fetch is a cross-platform tool/skill that searches multiple registries for AI coding agent skills, scores and ranks results, applies security scanning/integrity hashing, and installs selected skills into supported agent environments (e.g., Claude Code, Cursor, Codex, Gemini CLI, Windsurf, Amp).
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Strengths claimed in README: pre/post installation SHA-256 integrity hash recording and tamper detection; a multi-category security scan including destructive commands, RCE, data exfiltration, system modification, obfuscation, and prompt-injection sub-types; optional permissions declarations in SKILL.md frontmatter and a mismatch-flagging scanner. Uncertainties/risks from the provided content: TLS enforcement and secure transport details are not specified; scope granularity for API keys/OAuth is not described; dependency/vulnerability hygiene is not verifiable from the README excerpt; security scanning is a stated feature but exact methodology, thresholds, and failure modes are not provided.
⚡ Reliability
Best When
You want an agent workflow to discover and install third-party skills quickly, with built-in scoring, security labeling, and integrity hash tracking across several registries.
Avoid When
You have strict requirements for supply-chain security evidence beyond static scanning/integrity hashes (e.g., formal verification, signed artifacts), or you cannot tolerate that the tool will rely on external registries/APIs.
Use Cases
- • Search across multiple skill registries (GitHub + SkillsMP + others) for relevant agent skills
- • Rank results for quality (relevance/freshness/community/trust) and present a paginated list
- • Install skills across multiple agent platforms with local/user-level installation options
- • Run a pre-install security scan (categories including RCE, destructive commands, data exfiltration, prompt injection) and record SHA-256 hashes for integrity/tamper detection
Not For
- • Use as a fully automated security assurance system without human review of “Security Concerns”/high-severity findings
- • Use in environments that cannot provide outbound network access to external registries/APIs
Interface
Authentication
Authentication is primarily API-key based for some registries (not all). The README also instructs an interactive command (/fetch-skill-config) for setting keys in a local JSON config. No OAuth flow is described.
Pricing
Pricing for the service itself is not described. External registries (e.g., SkillsMP) may require paid/free-tier API keys depending on their own policies, but those details are not included here.
Agent Metadata
Known Gotchas
- ⚠ Install/update behavior differs by agent integration path (Claude Code plugin vs npx vs curl/sh vs Python vs manual copy).
- ⚠ Some sources require API keys (SkillsMP MCP for Sources 1-2; Skills Directory for Source 9); without keys, fewer results are available.
- ⚠ Security scan and hash verification occur around installation/loading, but behavior of scan failures or false positives is not detailed in the README excerpt.
- ⚠ Interactive install requires mandatory prompt for local vs global installation; non-interactive environments may require alternative flows.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for skill-fetch.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.