skill-fetch
mcp
Pass
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 23 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This MCP server acts as a search engine and package manager for AI coding agents. It allows users to search, score, and install custom "skills" across nine different registries directly into tools like Claude Code, Cursor, and others.
Security Assessment
Overall Risk: Medium. The tool is designed to discover and execute external code, which inherently carries risk. To its credit, it includes strong built-in mitigations: it performs a 6-category security scan on downloaded files, actively checks for prompt injections, and uses SHA-256 hash verification to detect file tampering. It also relies on shell scripts and avoids exposing API keys in process arguments. No dangerous patterns, hardcoded secrets, or excessive permissions were found in the tool's own code. However, the risk remains moderate because its core function involves fetching and executing third-party scripts from the internet.
Quality Assessment
The project is actively maintained, with its most recent code push happening today. It is fully licensed under the permissive and standard MIT license. It has garnered 23 GitHub stars, indicating a small but growing level of community trust and real-world usage. A recent CI workflow is also in place, showing good automated testing practices.
Verdict
Use with caution—the tool itself is well-structured and secure, but always review the third-party skills and scripts you choose to install through it.
This MCP server acts as a search engine and package manager for AI coding agents. It allows users to search, score, and install custom "skills" across nine different registries directly into tools like Claude Code, Cursor, and others.
Security Assessment
Overall Risk: Medium. The tool is designed to discover and execute external code, which inherently carries risk. To its credit, it includes strong built-in mitigations: it performs a 6-category security scan on downloaded files, actively checks for prompt injections, and uses SHA-256 hash verification to detect file tampering. It also relies on shell scripts and avoids exposing API keys in process arguments. No dangerous patterns, hardcoded secrets, or excessive permissions were found in the tool's own code. However, the risk remains moderate because its core function involves fetching and executing third-party scripts from the internet.
Quality Assessment
The project is actively maintained, with its most recent code push happening today. It is fully licensed under the permissive and standard MIT license. It has garnered 23 GitHub stars, indicating a small but growing level of community trust and real-world usage. A recent CI workflow is also in place, showing good automated testing practices.
Verdict
Use with caution—the tool itself is well-structured and secure, but always review the third-party skills and scripts you choose to install through it.
Multi-registry skill discovery and installation for AI coding agents — search 9 sources, score, paginate, and install agent skills with security labels
README.md
skill-fetch
Cross-platform skill discovery and installation for AI coding agents
Search, score, and install AI agent skills from 9 registries in parallel — works across Claude Code, Cursor, Codex, Gemini CLI, Windsurf, and Amp.
Quick Start
- Install — pick any method from Installation below
- Set up API keys — run
/fetch-skill-config(interactive, recommended) or configure manually - Search & install skills —
/fetch-skill react native animation
Features
- 9 Search Sources — SkillsMP (semantic + keyword), GitHub, Anthropic Skills, ClawSkillHub, skills.sh, PolySkill, SkillHub, Skills Directory
- Cross-Platform — Works on 6+ AI coding agents with automatic tool adaptation
- Multi-Variant AI Search — 3 query variants fired in parallel, improving recall significantly
- Quality Scoring — 0-100 composite score: Relevance (40) + Freshness (25) + Community (20) + Trust (15) + External Bonus (5)
- Security Labels — 5 trust tiers: Official, Verified, Partial, Unverified, Security Concerns
- 6-Category Security Scan — Destructive commands, RCE, data exfiltration, system modification, obfuscation, prompt injection
- Prompt Injection Detection — 5 sub-categories (PI-1~PI-5): direct override, hidden role markers, encoding tricks, indirect injection, social engineering
- Complete Bundle Install — Downloads the whole skill directory (SKILL.md +
references/,scripts/,assets/,templates/,prompts/,data/, etc.), preserving the subtree layout so skills that delegate to sibling files actually work - Integrity Verification — SHA-256 hash recorded for every file in the bundle at install; tamper detection on future loads
- Paginated Results — Browse 5 at a time with
cto continue; install by number from any page - Local/Global Install — Choose project-level or user-level installation (mandatory prompt)
- Deduplication — Same skill across registries is merged; similar descriptions are flagged
- Bundled Scripts — Shell scripts for SkillHub and Skills Directory APIs (no API key exposure in argv) plus
fetch-skill-bundle.shfor full-bundle GitHub installs
Installation
Choose the method that fits your setup:
Option 1: Plugin (Best experience, Claude Code)
# Add the skill-fetch marketplace
claude plugin marketplace add girofu/skill-fetch
# Install skill-fetch plugin
claude plugin install skill-fetch@skill-fetch
Provides auto-updates, /fetch-skill command, and full plugin integration.
Option 2: npx skills add (Node.js)
npx skills add girofu/skill-fetch
Works with Claude Code, Cursor, and Codex.
Option 3: curl | sh (Universal, zero dependencies)
curl -fsSL https://raw.githubusercontent.com/girofu/skill-fetch/main/install.sh | bash
Auto-detects installed agents and installs for all of them. Specify a single agent:
curl -fsSL https://raw.githubusercontent.com/girofu/skill-fetch/main/install.sh | bash -s -- --agent claude
Option 4: Python installer
python3 -c "$(curl -fsSL https://raw.githubusercontent.com/girofu/skill-fetch/main/install.py)"
Or download and run:
curl -fsSL https://raw.githubusercontent.com/girofu/skill-fetch/main/install.py -o install.py
python3 install.py --agent cursor
Option 5: Manual (git clone)
git clone https://github.com/girofu/skill-fetch.git
# Claude Code
cp -r skill-fetch/skills/skill-fetch ~/.claude/skills/skill-fetch
# Cursor
cp -r skill-fetch/skills/skill-fetch ~/.cursor/skills/skill-fetch
# Other agents: replace ~/.cursor/ with ~/.codex/, ~/.gemini/, ~/.windsurf/, or ~/.amp/
⚙️ Setup API Keys
Important: API keys unlock the full 9-source search. Without them, only Sources 3-8 are available (still useful, but fewer results).
Interactive Setup (Recommended)
Run /fetch-skill-config in Claude Code. It will:
- Show which keys are currently configured
- Walk you through setting each key with links to get them
- Automatically install the SkillsMP MCP server if needed
- Write everything to
~/.claude/skills/.fetch-config.json
Manual Setup
🔑 SkillsMP API Key (Sources 1-2) — Recommended
SkillsMP provides the best semantic search with AI-powered matching. Get your free API key:
- Go to skillsmp.com and create an account
- Copy your API key
- Register the MCP server:
claude mcp add --scope user skillsmp -- npx -y skillsmp-mcp-server --env SKILLSMP_API_KEY=your_key_here
- Restart Claude Code — SkillsMP tools will be available in the next session
🔑 SkillHub & Skills Directory (Sources 8-9) — Optional
For additional coverage, create ~/.claude/skills/.fetch-config.json:
{
"SKILLSMP_API_KEY": "your-skillsmp-key",
"SKILLHUB_API_KEY": "sk-sh-your-key-here",
"SKILLS_DIRECTORY_API_KEY": "sk_live_your-key-here"
}
Sources 3-8 work without any API keys. Source 9 (Skills Directory) requires a key.
Supported Agents
| Agent | Plugin | npx | curl/sh | Python | Manual |
|---|---|---|---|---|---|
| Claude Code | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cursor | — | ✅ | ✅ | ✅ | ✅ |
| Codex | — | ✅ | ✅ | ✅ | ✅ |
| Gemini CLI | — | — | ✅ | ✅ | ✅ |
| Windsurf | — | ✅ | ✅ | ✅ | ✅ |
| Amp | — | — | ✅ | ✅ | ✅ |
Usage
# Search for skills (Claude Code)
/fetch-skill react native animation
# Install from URL
/fetch-skill https://github.com/owner/repo
# Auto-triggered by skill-eval hook
# (no manual invocation needed)
In other agents, the skill activates automatically when referenced in context.
How It Works
┌─────────────────────────────────────────────────────┐
│ User Query │
│ "testing React Native" │
└──────────────────────┬──────────────────────────────┘
│
┌──────────────┼──────────────────┐
▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌──────────┐
│SkillsMP │ │SkillsMP │ │SkillsMP │
│AI Var A │ │AI Var B │ │AI Var C │
└────┬─────┘ └────┬─────┘ └────┬─────┘
│ │ │
└──────┬───────┘──────────┬───────┘
▼ ▼
┌───────────────┐ ┌─────────────────┐
│ SkillsMP KW │ │ GitHub │
│ + Anthropic │ │ + PolySkill │
└───────┬───────┘ └────────┬────────┘
│ │
┌───────┴───────┐ ┌───────┴────────┐
│ ClawSkillHub │ │ skills.sh │
└───────┬───────┘ └───────┬────────┘
│ │
┌───────┴───────┐ ┌───────┴────────┐
│ SkillHub │ │ Skills │
│ (API script) │ │ Directory │
└───────┬───────┘ └───────┬────────┘
│ │
└──────────┬──────────┘
▼
┌───────────────┐
│ Deduplicate │
│ Score & Rank │
│ (0-100) │
└───────┬───────┘
▼
┌───────────────┐
│ Security │
│ Scan (A-F) │
└───────┬───────┘
▼
┌───────────────┐
│ Display 5 │
│ per page │
└───────┬───────┘
▼
┌───────────────┐
│ User picks │
│ → Install │
│ → Hash │
└───────────────┘
Cross-platform note: SkillsMP sources require the MCP server + API key (see API Key Setup). On other platforms, the flow starts from GitHub + supplementary sources.
Search Sources
| # | Source | Method | Type | Availability |
|---|---|---|---|---|
| 1 | SkillsMP (semantic) | skillsmp_ai_search MCP × 3 variants |
Primary | Claude Code + MCP |
| 2 | SkillsMP (keyword) | skillsmp_search MCP |
Primary | Claude Code + MCP |
| 3 | GitHub | gh search code --filename SKILL.md (primary) + gh search repos (supplementary) |
Primary | All agents |
| 4 | Anthropic Skills | gh search code in anthropics/skills |
Official | All agents |
| 5 | ClawSkillHub | npx -y clawhub search |
Supplementary | Agents with npx |
| 6 | skills.sh | HTTP API / WebFetch | Supplementary | All agents |
| 7 | PolySkill | npx -y @polyskill/cli search (single keyword) |
Supplementary | Agents with npx |
| 8 | SkillHub | Bundled shell script (API) or CLI fallback | Supplementary | All agents |
| 9 | Skills Directory | Bundled shell script (API) | Supplementary | Configured agents |
All sources are searched in parallel. Sources fail gracefully — if any is unavailable, the search continues with remaining sources.
API Key Setup
See ⚙️ Setup API Keys above for detailed instructions.
Quality Scoring
Each result receives a composite score (0-100):
| Dimension | Weight | How |
|---|---|---|
| Relevance | 0-40 | LLM judges description-to-task semantic match |
| Freshness | 0-25 | Time since last GitHub push |
| Community | 0-20 | Star count (log scale) |
| Trust | 0-15 | Source credibility tier |
| External Bonus | 0-5 | Security/quality signals from PolySkill, SkillHub, Skills Directory |
Grade labels:
| Score | Label |
|---|---|
| 85+ | 🟢 Strongly Recommended |
| 70-84 | 🟢 Recommended |
| 55-69 | 🟡 Worth Considering |
| 40-54 | 🟡 Marginal |
| <40 | 🔴 Not Recommended |
Security
Security Labels
| Label | Criteria |
|---|---|
| 🔒 Official | From anthropics/skills repo |
| 🔒 Verified | SkillsMP stars ≥ 50 + securityGrade A/B + scan clean |
| ⚠️ Partial | Lower stars but scan clean, or standard frontmatter present |
| ⚠️ Unverified | Direct URL or no external signals |
| ⚠️ Security Concerns | Scan found issues or securityGrade D/F |
6-Category Security Scan
All skills are scanned before (or immediately after) installation:
| Category | Name | Severity |
|---|---|---|
| A | Destructive Commands | Critical |
| B | Remote Code Execution | Critical |
| C | Data Exfiltration | High |
| D | System Modification | High |
| E | Obfuscation | Medium |
| F | Prompt Injection (5 sub-types) | High |
Integrity Verification
After installation, SHA-256 hashes are recorded for all skill files. On future loads, hashes are compared to detect tampering.
Permissions Declaration (Advisory)
Skills may optionally declare their required permissions (network, filesystem-write, shell-commands, external-urls) in SKILL.md frontmatter. The scanner flags mismatches between declared and actual behavior.
File Structure
skill-fetch/
├── .claude-plugin/
│ └── plugin.json # Claude Code plugin manifest
├── commands/
│ ├── fetch-skill.md # /fetch-skill slash command
│ └── fetch-skill-config.md # /fetch-skill-config API key setup
├── skills/
│ └── skill-fetch/
│ ├── SKILL.md # Main skill (cross-platform)
│ ├── references/
│ │ ├── search-sources.md # Source-specific commands & dedup rules
│ │ ├── quality-signals.md # Scoring algorithm + security labels
│ │ ├── interaction-patterns.md # Output templates, security scan, prompt injection
│ │ ├── platform-adapters.md # Cross-platform tool mapping
│ │ ├── installation-guide.md # Complete Step 3 install workflow
│ │ └── local-index.md # Local skill/plugin scan for pre-search dedup
│ └── scripts/
│ ├── fetch-skill-bundle.sh # Download a complete skill bundle from GitHub (SKILL.md + all siblings)
│ ├── fetch-skillhub.sh # SkillHub API search (reads key from config)
│ └── fetch-skills-directory.sh # Skills Directory API search
├── .github/
│ └── maintainer/ # Per-repo state for open-source-maintainer workflow
├── install.sh # Universal bash installer
├── install.py # Python installer
├── CHANGELOG.md # Version history
├── README.md # This file
└── LICENSE # MIT
Requirements
Minimum (any agent):
- Shell with
curlorWebFetchfor HTTP-based searches
Full experience (Claude Code):
- SkillsMP MCP server + API key from skillsmp.com (see API Key Setup)
- GitHub CLI (
gh) for GitHub and Anthropic Skills search - Node.js for npx-based searches (ClawSkillHub, PolySkill, SkillHub CLI)
~/.claude/skills/.fetch-config.jsonfor SkillHub and Skills Directory APIs (optional)
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found