ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Guild

v1.2.0

Manages guild operations in Structs. Covers creation, membership, settings, and Central Bank token operations. Use when creating a guild, joining or leaving...

0· 353·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md exclusively documents structsd CLI commands for guild and Central Bank token management, which matches the skill's stated purpose. However the skill metadata declares no required binaries or credentials even though the instructions implicitly require the structsd binary and signing keys (e.g., --from [key], transactions signed by a guild member). This mismatch is a configuration/information gap that could cause silent failures or confusion.
Instruction Scope
The runtime instructions stay within the domain of guild management and token operations (queries and transactions via structsd). They do not instruct reading arbitrary host files, contacting unknown external endpoints, or exfiltrating data. They do include powerful operations (mint, confiscate, burn) which are expected for a guild-bank management skill.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk risk — nothing is downloaded or installed by the skill package itself.
Credentials
The skill declares no required environment variables, but the documented commands expect signing keys/identities and a working structsd CLI in the runtime environment. The skill does not state how keys should be supplied/managed (CLI flags, local keyring, hardware wallet), which is an important omission when financial/token operations are involved.
Persistence & Privilege
The skill is not always-enabled and requests no special platform privileges. It does not attempt to persist configuration or modify other skills' settings in the provided instructions.
What to consider before installing
This skill appears to be legitimate documentation for using the structsd CLI to manage Structs guilds, but the metadata omits important runtime requirements. Before installing or using it: 1) ensure the structsd CLI is installed and you know where it runs (the skill assumes its presence); 2) understand that transactions must be signed with private keys—do not paste private keys into third-party UIs or enable a skill to read your key files; use a secure wallet or hardware signer if possible; 3) review and restrict access because commands include mint, confiscate, and burn operations which can move or destroy tokens; 4) ask the skill author to update metadata to declare required binaries and to explain how signing keys are expected to be provided. If you cannot confirm those points, test in a safe/non-production environment only.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a35h5772w3qtr25sm0zx2r983wvvg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments