v1.2.0

Structs Guild

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:16 AM.

Analysis

This instruction-only skill is coherent for Structs guild administration, but it should be reviewed because it guides an agent through powerful transactions that can change guild ownership, permissions, membership, and token balances.

GuidanceInstall only if you want the agent to assist with Structs guild administration. Require explicit approval before any transaction, especially owner changes, kicks, permission grants, mint/redeem operations, and confiscate-and-burn actions. Verify the signer key, guild ID, target player/address, rank, and amounts, and consider removing '-y' so the CLI confirmation remains visible.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`guild-update-owner-id -- [guild-id] [new-owner-player-id]` ... `guild-bank-confiscate-and-burn -- [guild-id] [address] [amount]`

The skill documents direct transaction commands that can transfer guild ownership and confiscate/burn tokens. These are high-impact mutations, and the artifacts do not add explicit per-command user confirmation or rollback guidance.

User impactIf used carelessly, an agent could help perform actions that remove members, change ownership, grant permissions, or affect token balances.

RecommendationOnly use this skill with explicit user approval for the exact command, guild ID, account/key, addresses, and token amounts; avoid automatic execution for owner, permission, kick, mint, redeem, or confiscation actions.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

This grants PermProviderAgreementCreate (262144) on the provider to any member of the specified guild at or above the given rank.

A single permission change can apply to a whole class of guild members, so a mistaken rank or guild ID can propagate access broadly.

User impactA misconfigured rank permission could give provider access to more members than intended.

RecommendationBefore setting guild-rank permissions, confirm the target provider, guild, permission number, and minimum rank, and review the affected member set.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

_meta.json

"version": "1.0.1"

The packaged metadata version differs from the registry version shown for the skill, and the review metadata lists the source as unknown with no homepage. There is no code to execute, so this is a provenance note rather than evidence of malicious behavior.

User impactIt may be harder to verify that the reviewed instructions match the intended published version.

RecommendationConfirm the publisher and version before installing, especially because the skill provides high-impact administrative transaction guidance.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

`structsd tx structs permission-guild-rank-set --from [key] --gas auto -y -- [provider-id] [guild-id] 262144 [rank]`

The command uses a signer key to grant provider permissions, while the registry requirements declare no primary credential or required configuration. This is expected for Structs transactions, but the credential/account authority is high-impact and not clearly scoped.

User impactUsing the wrong key or signer account could grant or change privileges from an unintended identity.

RecommendationVerify which Structs key/account will sign each transaction, and require the user to confirm that signer before executing administrative or token-related commands.