Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Structs Economy
v1.2.0Manages economic operations in Structs. Covers reactor staking, energy providers, agreements, allocations, generator infusion, and token transfers. Use when...
⭐ 0· 339·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md clearly implements blockchain operations via the `structsd` CLI (staking, infusing, provider/agreement management, token transfers). However the registry metadata declares no required binaries or credentials even though the runtime instructions require the `structsd` binary and access to account keys. This mismatch is not proportional to the stated purpose.
Instruction Scope
Instructions direct the agent to create and broadcast on-chain transactions (using `--from [key-name]` and `TX_FLAGS -y`), including irreversible operations (generator infusion). The skill does not specify where signing keys/keyring live or how keys are provided; running these commands implies access to private keys and will alter blockchain state. The instructions do not attempt to read unrelated local files, but they assume sensitive local key material and a correctly configured `structsd` environment.
Install Mechanism
There is no install spec (instruction-only), which lowers installer risk. However, absence of an install step does not remove the real requirement that `structsd` must be present on PATH — that required binary is not declared in the registry metadata.
Credentials
The skill requests no environment variables or credentials in metadata, yet its runtime usage requires access to signing keys (via `--from`) and an existing `structsd` configuration/keyring. Requesting no declared credentials while instructing transaction signing is a proportionality issue and a potential privacy/security concern.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges or attempt to modify other skills/configuration. Autonomous invocation is allowed by default (not flagged here) but combined with the credential issues above it increases operational risk.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner found nothing — expected because this is an instruction-only skill (no code files) so there was nothing for the scanner to analyze.
[missing_declared_binary_structsd] unexpected: SKILL.md invokes the `structsd` CLI for all operations, but the skill metadata lists no required binaries. The missing declaration is inconsistent and noteworthy.
[meta_version_timestamp_mismatch] unexpected: _meta.json in the package contains a different version (1.0.1) and a strange publishedAt value that does not match the registry metadata (version 1.2.0, published 2026-03-30). Lack of provenance / metadata mismatch reduces trust.
What to consider before installing
This skill is essentially a cookbook of `structsd` CLI commands that will perform irreversible blockchain actions and require signing with local keys. Before installing or letting an agent execute it: 1) Ensure you have `structsd` installed and understand how it uses a keyring; the skill does not declare that dependency. 2) Do not allow the agent to run transactions autonomously unless you trust it — commands use `--from [key-name]` and `-y` which will sign/broadcast if keys are available. 3) Verify provenance: the package has no homepage/source and its _meta.json metadata mismatches the registry record. 4) Prefer the agent to output command strings for manual review and execution, or test on a sandbox/testnet account with no real funds. 5) If you must authorize automated use, limit the key used to a low-value/test account and confirm the agent cannot access your primary keyring or private keys.Like a lobster shell, security has layers — review code before you run it.
latestvk97btvgzn8a4hxx2s3xs6gxc4983xhpa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.