v1.2.0

Structs Energy

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:16 AM.

Analysis

The skill matches its Structs energy-management purpose, but it should be reviewed because it instructs auto-confirmed transactions that can spend or irreversibly commit assets using a local key.

GuidanceOnly install or use this skill if you are comfortable with an agent helping prepare Structs transactions. Before any transaction, independently verify the key name, amount, denomination, destination IDs or validator address, gas, commissions, penalties, and whether the action is reversible; avoid auto-confirming commands until you have reviewed the exact transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

structsd tx structs struct-generator-infuse [struct-id] [amount]ualpha --from [key-name] --gas auto --gas-adjustment 1.5 -y

This is a direct transaction command using `-y` to auto-confirm; the surrounding text says generator infusion is irreversible, so a wrong or premature execution could permanently commit user assets.

User impactIf an agent follows this workflow without an explicit final user review, it could submit asset-changing transactions or irreversible infusions with incorrect amounts, IDs, or keys.

RecommendationRemove `-y` from default examples or require explicit user confirmation of the exact command, amount, destination, fees, and reversibility before any `structsd tx` command is run.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"version": "1.0.1"

The embedded metadata version differs from the registry version shown as 1.2.0, and the instructions also rely on `structsd` despite no required binary being declared.

User impactUsers may have less clarity about exactly which version they are installing and what local tooling is expected.

RecommendationReconcile the embedded and registry metadata, declare the `structsd` CLI dependency, and provide source or homepage provenance if available.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

--from [key-name]

The transaction examples rely on a local account/key to sign Structs transactions, but the registry metadata declares no primary credential or required credential path.

User impactThe skill can guide use of whatever local Structs key the user or agent selects, which may authorize spending or account changes beyond what the install metadata makes obvious.

RecommendationDeclare the required signing authority in metadata and instruct the agent to use only a user-specified key for a user-approved transaction.