ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Combat

v1.2.0

Executes combat operations in Structs. Covers attacks, raids, defense setup, and stealth positioning. Use when attacking enemy structs, raiding a planet for...

0· 371·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md is a procedural guide for the 'structsd' CLI (transaction submission, stealth activation, fleet movement, PoW compute). The registry metadata, however, lists no required binaries, no required credentials, and no install steps. A combat/transaction skill would reasonably require the 'structsd' binary and access to signing keys; their absence in the declared requirements is an incoherence.
!
Instruction Scope
Instructions instruct the agent (or user) to run transaction-signing commands (e.g., 'structsd tx ... --from [key-name]') that will submit on-chain transactions and to run long-running PoW compute locally. These actions involve signing with local keys, spending assets, and heavy CPU use — all sensitive operations that are not constrained or documented in the metadata.
Install Mechanism
There is no install spec (instruction-only), which is lower risk from code supply perspective. However, because the instructions depend on an external CLI ('structsd') that is not declared, the missing install/dependency declaration is a notable omission rather than a benign omission.
!
Credentials
The skill declares no environment variables or primary credentials, but its runtime steps implicitly require access to signing keys (via '--from [key-name]') and potentially local keyrings/config files. It also directs the user to run local PoW compute which consumes CPU. The skill does not declare or justify access to these sensitive local artifacts.
Persistence & Privilege
The skill is not always-enabled and has no install hooks or config paths declared. It does not request persistent system presence in the metadata. Note: autonomous invocation is allowed by default but this alone is normal for skills.
What to consider before installing
This skill will run transaction commands and PoW compute via the 'structsd' CLI and expects you to use local signing keys. Before installing or running it: 1) Verify the skill's source/homepage and the origin of the 'structsd' binary — do not run untrusted binaries. 2) Expect to use local wallet/keyring entries (the skill uses '--from [key-name]'); never paste private keys into untrusted interfaces. 3) Understand that transactions will be signed/submitted (may spend assets) and PoW compute will use CPU on your machine. 4) Ask the author for missing metadata: required binary ('structsd' name and version), exact key/location requirements, any config paths, and a repository link. 5) If you test, do so in a sandbox or with test keys/accounts first. 6) The _meta.json version mismatch vs registry and the lack of declared dependencies are red flags—proceed only after obtaining clear provenance and verifying the CLI and commands on a safe test environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ry527cfr3z2682s8fyz6k583xv12

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments