ClawHub
Back to skill
v1.2.0

Structs Mining

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:16 AM.

Analysis

The skill is coherent for Structs mining, but it tells the agent to run auto-confirmed account transactions and long background jobs using a local key.

GuidanceInstall only if you want the agent to run Structs CLI transactions for you. Before use, verify the `structsd` CLI source, choose the account key deliberately, confirm every struct ID and gas setting, consider removing `-y` until reviewed, and monitor any multi-hour background jobs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Launch in a background terminal: `structsd tx structs struct-ore-mine-compute -D 3 --from [key-name] --gas auto --gas-adjustment 1.5 -y -- [struct-id]`. ... Compute auto-submits the complete transaction.

The main workflow uses an auto-confirmed transaction command that signs from a local key, sets gas automatically, and submits the result without an explicit review step in the skill instructions.

User impactIf invoked with the wrong account, struct ID, or timing, the agent could submit unintended Structs transactions and consume account resources or gas.
RecommendationRequire explicit user approval before every `tx` command, show the target struct/account and expected gas, and avoid `-y` unless the user has confirmed the exact transaction.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
**CRITICAL**: Mining and refining are **multi-hour background operations**. Launch compute in a background terminal and do other things while waiting.

The skill intentionally starts long-running background work. This is disclosed and purpose-aligned, but it means activity can continue well after the initial user request.

User impactBackground jobs may continue for many hours and could be forgotten, duplicated, or left running after the user no longer wants the operation.
RecommendationTrack each background job, record its start time and target struct, and provide a clear way to inspect or stop running processes.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Required binaries (all must exist): none ... Primary credential: none

The skill is instruction-only but its documented workflow relies on the external `structsd` CLI and a local account key. Those dependencies are not reflected in the declared requirements.

User impactA user may install the skill without realizing they also need to trust and configure the Structs CLI and local key material.
RecommendationDeclare `structsd` and the required account configuration in metadata, and document where users should obtain and verify the CLI.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Common tx flags: `--from [key-name] --gas auto --gas-adjustment 1.5 -y`.

`--from [key-name]` indicates use of a local account/key to authorize Structs transactions; the supplied requirements metadata lists no primary credential, so this sensitive authority is under-declared.

User impactThe agent may act with the authority of the selected Structs account, which can change account state and spend resources.
RecommendationDeclare the required account/key access, use a dedicated low-risk key where possible, and have the agent ask which key to use before signing any transaction.