Structs Diplomacy
ReviewAudited by ClawScan on May 14, 2026.
Overview
This instruction-only skill is clearly aimed at Structs permission and address management, but those actions are high-impact and should be run only with explicit user confirmation.
Before installing or using this skill, treat every transaction as a real permission or identity change. Verify wallet context, addresses, object IDs, player IDs, and permission bits, and require explicit approval before granting PermAll, registering an address, revoking an address, or changing the primary signer.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could give another player control, remove needed access, or change permissions on valuable objects.
The skill documents transaction commands that can mutate Structs object permissions. This is central to the skill's purpose and is disclosed, but misuse could grant, revoke, or replace access controls.
`structsd tx structs permission-grant-on-object ...`, `permission-revoke-on-object ...`, `permission-set-on-object ...`
Use explicit user approval for every transaction, verify object IDs and player IDs, and prefer minimum-necessary permission bits.
If the wrong address or proof is used, a user could delegate account authority to someone else or lock themselves out.
The skill explicitly covers identity-level operations that add signing keys, revoke addresses, and update the primary signer. The text warns about these risks, making them purpose-aligned but high-impact.
`address-register` ... "You are attaching another signing key to your player"; `player-update-primary-address` ... "Changes which key the chain considers your primary signer."
Confirm address ownership, proof provenance, and wallet identity out-of-band before running address-register, address-revoke, or primary-address updates.
Users may have less assurance that the reviewed metadata exactly matches the published package version.
The included _meta.json version differs from the supplied registry metadata version 1.3.1. With no code or install spec this is not evidence of malicious behavior, but it is a packaging/provenance inconsistency.
"version": "1.0.1"
Verify the published skill version and source provenance before relying on it for high-impact wallet or permission operations.