Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Play Structs
v1.2.0The starting skill for AI agents playing Structs. Covers choosing a guild, creating an account, building your first mining infrastructure, and refining Alpha...
⭐ 0· 323·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to guide a player through Structs gameplay, which fits the commands shown. However the SKILL.md expects the presence of several tools (structsd, node, npm, curl) and other skills (structsd-install, structs-onboarding) but the registry metadata lists no required binaries, env vars, or config paths. That mismatch (instructions requiring binaries and other local skill code while metadata declares none) is incoherent and should be clarified.
Instruction Scope
The instructions tell the agent/user to run network requests (curl to reactor.oh.energy), execute local node scripts under .cursor/skills/structs-onboarding/scripts, and to create and recover a mnemonic key. Those actions are reasonable for a game onboarding flow, but they involve handling secrets (mnemonic/private key) and executing code from a skill folder — both of which expand the security surface. The SKILL.md does not constrain where mnemonics may be stored or how the agent should treat them.
Install Mechanism
There is no install spec and no code files in the registry package, so nothing will be written to disk by installation itself. This lowers install risk. However, the runtime instructions call out installing/using other skills and running npm/node in local skill paths, which implies additional code may be executed at runtime if those other skills are present.
Credentials
The skill declares no required environment variables or credentials, yet it instructs the user to generate and 'save the mnemonic securely' and to add/recover keys into structsd. The skill gives no guidance for safe handling of those secrets and the agent metadata does not request or protect any credential scope. This mismatch increases the risk that secrets could be mishandled by an agent following these instructions.
Persistence & Privilege
always is false and there is no install-time persistence. The skill can be invoked by the agent (normal), but it does not request permanent presence or system-wide configuration changes.
What to consider before installing
This skill appears to be an in-game walkthrough, but several things don't add up: (1) SKILL.md expects structsd, node, npm, and curl even though the skill metadata lists no required binaries — verify you have these installed and that the author meant to require them. (2) The instructions ask you to generate and store a mnemonic/private key; never paste your mnemonic into chat or untrusted forms. Only run recovery commands on machines you control, and consider using secure storage (hardware wallet or encrypted vault). (3) The skill calls external endpoints (reactor.oh.energy, crew.oh.energy); confirm those endpoints are legitimate for the game before sending any keys or transactions. (4) The skill tells you to run node scripts from .cursor/skills/structs-onboarding/scripts — ensure the onboarding skill source is trustworthy before executing code from it. If you plan to let an agent run this autonomously, restrict its permissions for handling secrets and network access, or run these steps manually.Like a lobster shell, security has layers — review code before you run it.
latestvk973q1y360j6406ff632b3p55d83w8kb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.