ClawHub

Structs Onboarding

v1.2.2

Onboards a new player into Structs. Handles key creation/recovery, player creation (via reactor-infuse or guild signup), planet exploration, and initial infr...

0· 374·0 current·0 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (player onboarding, key creation, guild signup) matches the provided instructions and the create-player.mjs script. All required actions (mnemonic generation, address/pubkey derivation, signing, POST to guild API, polling reactor) are consistent with onboarding functionality; no unrelated services or credentials are requested.
Instruction Scope
SKILL.md stays within onboarding scope: it instructs checking/merging identity files, using structsd CLI for queries/txs, and running the bundled Node script for guild signup. It explicitly warns about mnemonic handling and CLI flag parsing. The instructions call external Structs network endpoints (reactor/guild) which is expected for this task.
Install Mechanism
There is no automatic install spec (instruction-only); the skill includes a package.json and package-lock and tells the user to run npm install in the script folder. Dependencies are fetched from the public npm registry (cosmjs packages) — expected for a Node-based signing tool and not disproportionate to the stated purpose.
Credentials
The skill declares no required env vars or credentials. It optionally suggests storing a mnemonic in STRUCTS_MNEMONIC or passing --mnemonic to the script; this is reasonable because the feature inherently handles private keys/secrets. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. It can be invoked by the agent (normal default) but has no elevated or permanent privileges.
Assessment
This skill appears coherent and implements exactly what it claims: generating/recovering a mnemonic, deriving keys, signing a guild-join proxy message, POSTing to a guild API, and polling the reactor for player creation. Before running it: (1) run it in a secure environment (it handles private keys/mnemonics and will output the generated mnemonic in the JSON result), (2) do not commit any mnemonics or private keys to source control, (3) verify the guildApi/reactorApi URLs you pass (the script will POST your pubkey/signature to them), and (4) be aware that running npm install will fetch packages from the public npm registry — review package-lock.json if you want to audit exact dependency versions. If you do not trust a third-party guild endpoint, prefer using your own reactor/guild node or perform the signing step locally and submit via trusted channels.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787actz2xd03pn0dvt29kzsh83wbf9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments