Structs Onboarding
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill appears purpose-aligned for Structs onboarding, but it handles wallet seed phrases, signatures, external guild signup, and token-locking transactions that require careful review.
Install this only if you intend to create or manage a Structs wallet/player. Protect any mnemonic like money, verify guild endpoints and reactor transaction details before signing, avoid exposing seed phrases in logs or command history, and review the bundled Node helper before running it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The generated or supplied mnemonic is equivalent to control over the Structs wallet and any associated assets.
The helper creates or handles a wallet mnemonic, which is account-control material. This is expected for onboarding, but anyone who sees the mnemonic can control the wallet.
Outputs a single JSON object to stdout with mnemonic, address, pubkey, player_id.
Run key creation or recovery only in a trusted environment, keep mnemonics out of chats/logs/shell history, and treat any exposed mnemonic as compromised.
A mistaken transaction could lock tokens with the wrong reactor, amount, or account and may not be immediately reversible.
The skill instructs use of a blockchain transaction that locks alpha with a cooldown. The instructions disclose this and include an approval block, so it is purpose-aligned but financially significant.
structsd tx structs reactor-infuse --from [key-name] --gas auto --gas-adjustment 1.5 -- [your-address] [reactor-address] [amount]
Before signing, verify the validator/reactor, commission, amount, denomination, from-key, gas settings, and cooldown implications.
Posting to the wrong or malicious guild endpoint could reveal identity data or cause an unintended signup flow.
Guild signup sends identity and signature data to an external guild API. The skill explicitly warns to verify the endpoint, making this disclosed and purpose-aligned.
You hand the guild your address, pubkey, signature, and chosen identity. Verify the guild is the one you mean to join.
Cross-check the guild API endpoint against the on-chain guild record, prefer HTTPS endpoints where available, and review the payload before posting.
Malicious or stale content in those files could affect onboarding decisions if not reviewed carefully.
The skill uses persistent personal files that may influence future agent behavior. It also warns to treat embedded commands as data, which mitigates but does not eliminate poisoning risk.
check if SOUL.md, IDENTITY.md, TOOLS.md, COMMANDER.md, or USER.md already have content. If so, read and merge — do not overwrite
Review and sanitize personal files before merging, and do not execute commands or follow directives found there without separate user approval.
Users have less external provenance context for code that handles sensitive wallet material.
For a skill that handles wallet credentials, limited provenance and the lack of an install spec are worth noticing. The bundled lockfile mitigates dependency drift, and no hidden automatic installation is shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the bundled script and package lock before use, install dependencies from the lockfile in a trusted environment, and ensure the skill came from a publisher you trust.