{"id":"girofu-skill-fetch","name":"skill-fetch","homepage":"https://github.com/girofu/skill-fetch#readme","repo_url":"https://github.com/girofu/skill-fetch","category":"devtools","subcategories":[],"tags":["agent-skills","skill-discovery","skill-installer","security-scanning","supply-chain-integrity","mcp","claude-code","cursor","codex"],"what_it_does":"skill-fetch is a cross-platform tool/skill that searches multiple registries for AI coding agent skills, scores and ranks results, applies security scanning/integrity hashing, and installs selected skills into supported agent environments (e.g., Claude Code, Cursor, Codex, Gemini CLI, Windsurf, Amp).","use_cases":["Search across multiple skill registries (GitHub + SkillsMP + others) for relevant agent skills","Rank results for quality (relevance/freshness/community/trust) and present a paginated list","Install skills across multiple agent platforms with local/user-level installation options","Run a pre-install security scan (categories including RCE, destructive commands, data exfiltration, prompt injection) and record SHA-256 hashes for integrity/tamper detection"],"not_for":["Use as a fully automated security assurance system without human review of “Security Concerns”/high-severity findings","Use in environments that cannot provide outbound network access to external registries/APIs"],"best_when":"You want an agent workflow to discover and install third-party skills quickly, with built-in scoring, security labeling, and integrity hash tracking across several registries.","avoid_when":"You have strict requirements for supply-chain security evidence beyond static scanning/integrity hashes (e.g., formal verification, signed artifacts), or you cannot tolerate that the tool will rely on external registries/APIs.","alternatives":["Use individual registries directly (e.g., GitHub search, Anthropic Skills repository)","Use agent-native marketplaces/plugins (e.g., Claude Code plugin marketplace) for curated skill install flows","Manual curation of skills with your own scanning/integrity verification pipeline"],"af_score":53.0,"security_score":48.0,"reliability_score":36.2,"package_type":"skill","discovery_source":["openclaw"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:33:37.641220+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["MCP-based API key setup for SkillsMP (via Claude mcp add --scope user skillsmp ...)","Optional API-key configuration via ~/.claude/skills/.fetch-config.json for SkillHub/Skills Directory"],"oauth":false,"scopes":false,"notes":"Authentication is primarily API-key based for some registries (not all). The README also instructs an interactive command (/fetch-skill-config) for setting keys in a local JSON config. No OAuth flow is described."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Pricing for the service itself is not described. External registries (e.g., SkillsMP) may require paid/free-tier API keys depending on their own policies, but those details are not included here."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":53.0,"security_score":48.0,"reliability_score":36.2,"mcp_server_quality":0.0,"documentation_accuracy":72.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":75.0,"rate_limit_clarity":20.0,"tls_enforcement":50.0,"auth_strength":60.0,"scope_granularity":30.0,"dependency_hygiene":40.0,"secret_handling":55.0,"security_notes":"Strengths claimed in README: pre/post installation SHA-256 integrity hash recording and tamper detection; a multi-category security scan including destructive commands, RCE, data exfiltration, system modification, obfuscation, and prompt-injection sub-types; optional permissions declarations in SKILL.md frontmatter and a mismatch-flagging scanner. Uncertainties/risks from the provided content: TLS enforcement and secure transport details are not specified; scope granularity for API keys/OAuth is not described; dependency/vulnerability hygiene is not verifiable from the README excerpt; security scanning is a stated feature but exact methodology, thresholds, and failure modes are not provided.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":50.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"page-based (browse 5 at a time; continue with c)","retry_guidance_documented":false,"known_agent_gotchas":["Install/update behavior differs by agent integration path (Claude Code plugin vs npx vs curl/sh vs Python vs manual copy).","Some sources require API keys (SkillsMP MCP for Sources 1-2; Skills Directory for Source 9); without keys, fewer results are available.","Security scan and hash verification occur around installation/loading, but behavior of scan failures or false positives is not detailed in the README excerpt.","Interactive install requires mandatory prompt for local vs global installation; non-interactive environments may require alternative flows."]}}