Skillv1.2.0

ClawScan security

Structs Economy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 30, 2026, 3:12 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a coherent CLI guide for Structs blockchain operations but omits declaring the required CLI/tooling and credentials, and has provenance/metadata inconsistencies — exercise caution before installing or letting an agent run it.
Guidance: This skill is essentially a cookbook of `structsd` CLI commands that will perform irreversible blockchain actions and require signing with local keys. Before installing or letting an agent execute it: 1) Ensure you have `structsd` installed and understand how it uses a keyring; the skill does not declare that dependency. 2) Do not allow the agent to run transactions autonomously unless you trust it — commands use `--from [key-name]` and `-y` which will sign/broadcast if keys are available. 3) Verify provenance: the package has no homepage/source and its _meta.json metadata mismatches the registry record. 4) Prefer the agent to output command strings for manual review and execution, or test on a sandbox/testnet account with no real funds. 5) If you must authorize automated use, limit the key used to a low-value/test account and confirm the agent cannot access your primary keyring or private keys.
Findings: [no_regex_findings] expected: The static regex scanner found nothing — expected because this is an instruction-only skill (no code files) so there was nothing for the scanner to analyze. [missing_declared_binary_structsd] unexpected: SKILL.md invokes the `structsd` CLI for all operations, but the skill metadata lists no required binaries. The missing declaration is inconsistent and noteworthy. [meta_version_timestamp_mismatch] unexpected: _meta.json in the package contains a different version (1.0.1) and a strange publishedAt value that does not match the registry metadata (version 1.2.0, published 2026-03-30). Lack of provenance / metadata mismatch reduces trust.

Review Dimensions

Purpose & Capability: concernSKILL.md clearly implements blockchain operations via the `structsd` CLI (staking, infusing, provider/agreement management, token transfers). However the registry metadata declares no required binaries or credentials even though the runtime instructions require the `structsd` binary and access to account keys. This mismatch is not proportional to the stated purpose.
Instruction Scope: concernInstructions direct the agent to create and broadcast on-chain transactions (using `--from [key-name]` and `TX_FLAGS -y`), including irreversible operations (generator infusion). The skill does not specify where signing keys/keyring live or how keys are provided; running these commands implies access to private keys and will alter blockchain state. The instructions do not attempt to read unrelated local files, but they assume sensitive local key material and a correctly configured `structsd` environment.
Install Mechanism: noteThere is no install spec (instruction-only), which lowers installer risk. However, absence of an install step does not remove the real requirement that `structsd` must be present on PATH — that required binary is not declared in the registry metadata.
Credentials: concernThe skill requests no environment variables or credentials in metadata, yet its runtime usage requires access to signing keys (via `--from`) and an existing `structsd` configuration/keyring. Requesting no declared credentials while instructing transaction signing is a proportionality issue and a potential privacy/security concern.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent platform privileges or attempt to modify other skills/configuration. Autonomous invocation is allowed by default (not flagged here) but combined with the credential issues above it increases operational risk.