ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Exploration

v1.2.0

Explores new planets and manages fleet movement in Structs. Use when discovering new planets, moving fleet to a new location, expanding territory, relocating...

0· 346·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md assumes use of the 'structsd' CLI to query and submit transactions (planet-explore, fleet-move) and references signing via '--from [key-name]'. However, the registry metadata lists no required binaries, no primary credential, and no config paths. A skill that drives a blockchain-style CLI legitimately needs that binary and access to wallet/key material; the omission is an incoherence.
Instruction Scope
Instructions are narrowly focused on querying and transacting with Structs via the CLI and do not ask to read unrelated files or exfiltrate data. However, they do instruct transaction submission using a local key name (wallet) and CLI flags; that implies access to local keyrings and the network node, which the skill metadata does not declare.
Install Mechanism
This is instruction-only with no install spec or code files, so there is no installer risk. The runtime risk comes from executing the external 'structsd' binary (not provided by the skill).
!
Credentials
The instructions require signing transactions ('--from [key-name]') and therefore access to local keys/wallets and potentially node RPC endpoints, but the skill requests no environment variables, credentials, or config paths. The skill should explicitly declare the need for wallet access and any node endpoint config; its absence is disproportionate to the operations it performs.
Persistence & Privilege
The skill is not always-enabled, does not request persistent installation, and doesn’t modify other skills or system settings. Autonomous invocation is allowed (default), but that alone is not flagged; there is no 'always: true' or other high-privilege setting.
Scan Findings in Context
[no-code-found] expected: Regex scanner found no code files; this is an instruction-only skill. The primary security signals come from SKILL.md content rather than code analysis.
What to consider before installing
This skill tells the agent how to run 'structsd' to explore planets and move fleets, and it expects you to supply a local key name for signing transactions. Before installing or using it: 1) Verify you have the 'structsd' CLI installed from a trusted source; 2) Confirm where your keys are stored (local keyring/config) and that you understand any commands may submit real on-chain transactions; 3) Don't let the agent run these commands autonomously without review—inspect the exact tx commands and test on a non-production/test environment first; 4) Ask the publisher to update metadata to declare the required binary and any config/credential needs to remove this inconsistency.

Like a lobster shell, security has layers — review code before you run it.

latestvk975agq60k3r5wwxdrzmzjz3t983wk5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments