ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Guild Stack

v1.2.0

Deploys the Guild Stack (Docker Compose) for local PostgreSQL access to game state. Use when you need faster queries for combat automation, real-time threat...

0· 321·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the runtime instructions: the SKILL.md explains how to clone a GitHub repo and run docker compose to get PostgreSQL-indexed game state. Required tooling (Docker, docker compose) and disk/sync expectations are proportionate.
Instruction Scope
Instructions are focused on setting up and querying the stack and do not ask for unrelated host files or credentials. However, they direct you to clone and run an external repo and to execute containers that will run arbitrary code and network services; this is expected for a 'deploy stack' skill but expands the trust boundary beyond the skill bundle itself.
Install Mechanism
This is an instruction-only skill (no install spec), which is low-risk for the package itself. Risk comes from following its instructions: cloning https://github.com/playstructs/docker-structs-guild and running docker compose will pull and execute container images from upstream. Confirm the repository, docker-compose.yml, and referenced images before running.
Credentials
The registry metadata requests no credentials or config paths. SKILL.md shows creating a minimal .env (MONIKER, NETWORK_VERSION, NETWORK_CHAIN_ID) and uses an internal DB role (structs_indexer) inside the compose network — there are no unexplained requests for unrelated secrets.
Persistence & Privilege
Skill is user-invocable and not always-enabled; it does not request persistent platform privileges nor modify other skills. Autonomous invocation is allowed by default but not unusual; nothing in the package requests elevated or permanent platform presence.
Assessment
This skill is coherent for deploying a local guild node via Docker Compose, but the actual code and containers come from an external GitHub repository. Before running: 1) Inspect the repository (docker-compose.yml, Dockerfiles, and referenced image tags). 2) Verify image sources and prefer pinned, signed, or official images; avoid running images from unknown registries without review. 3) Check for host volume mounts and exposed ports (to avoid sensitive host access). 4) Review .env and do not place private keys or unrelated secrets there unless you understand how they are used. 5) Run the stack in an isolated environment (VM or dedicated host) until you trust the repo. Also note minor packaging inconsistencies (the included _meta.json version differs from the registry version and part of an example SQL in the SKILL.md is truncated), which suggests the bundle was packaged sloppily — another reason to manually review the upstream repo before executing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amzw5nrwjrfr02kj401f5h983w8nt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments