ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Mining

v1.2.0

Executes resource extraction in Structs. Mines ore and refines it into Alpha Matter. Use when mining ore, refining ore, starting a mine-refine cycle, checkin...

0· 357·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly expects the local 'structsd' CLI and use of a local signing key (--from [key-name]) to submit transactions; however the skill's declared requirements list no required binaries, env vars, or config paths. That omission is inconsistent with its stated purpose (mining via structsd).
Instruction Scope
Instructions are narrowly scoped to running structsd query/tx commands (mine/refine lifecycle) and background PoW. They do not request arbitrary file access or exfiltration, but they do instruct the operator/agent to use a local key name to sign transactions, which is sensitive.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the skill package itself.
!
Credentials
The skill requests no environment variables or explicit credential fields, but the runtime commands require access to a local key (wallet) and a local 'structsd' binary. The absence of declared credential/config requirements is misleading and understates the sensitive privileges needed to operate (signing/submitting transactions).
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other elevated permissions.
What to consider before installing
This skill appears to be a legitimate how-to for using the 'structsd' CLI to mine and refine resources, but the package metadata omits two important facts: (1) you must have the 'structsd' binary installed and on PATH, and (2) the commands use a local signing key (--from [key-name]) which will sign and submit transactions (and could spend assets). Before using: verify the skill author and source; ensure you have an authentic structsd binary from the official project; test commands with a throwaway or test key account first; do not point the commands at a key containing real funds until you understand the workflow; and be aware that launching the compute commands will submit transactions to the network automatically (the SKILL.md warns 'compute auto-submits'). Also note the metadata/version mismatch (registry shows v1.2.0 while _meta.json lists v1.0.1) — a minor inconsistency but another reason to confirm origin.

Like a lobster shell, security has layers — review code before you run it.

latestvk97brqpcneebhm77e17jt9nkx183xfv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments