Skillv1.2.2

ClawScan security

Structs Onboarding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 30, 2026, 3:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and dependencies are coherent with its stated purpose (onboarding a Structs player); it requests no unrelated credentials and uses standard cosmjs libraries to generate/sign keys and call guild/reactor endpoints.
Guidance: This skill appears coherent and implements exactly what it claims: generating/recovering a mnemonic, deriving keys, signing a guild-join proxy message, POSTing to a guild API, and polling the reactor for player creation. Before running it: (1) run it in a secure environment (it handles private keys/mnemonics and will output the generated mnemonic in the JSON result), (2) do not commit any mnemonics or private keys to source control, (3) verify the guildApi/reactorApi URLs you pass (the script will POST your pubkey/signature to them), and (4) be aware that running npm install will fetch packages from the public npm registry — review package-lock.json if you want to audit exact dependency versions. If you do not trust a third-party guild endpoint, prefer using your own reactor/guild node or perform the signing step locally and submit via trusted channels.

Review Dimensions

Purpose & Capability: okName/description (player onboarding, key creation, guild signup) matches the provided instructions and the create-player.mjs script. All required actions (mnemonic generation, address/pubkey derivation, signing, POST to guild API, polling reactor) are consistent with onboarding functionality; no unrelated services or credentials are requested.
Instruction Scope: okSKILL.md stays within onboarding scope: it instructs checking/merging identity files, using structsd CLI for queries/txs, and running the bundled Node script for guild signup. It explicitly warns about mnemonic handling and CLI flag parsing. The instructions call external Structs network endpoints (reactor/guild) which is expected for this task.
Install Mechanism: okThere is no automatic install spec (instruction-only); the skill includes a package.json and package-lock and tells the user to run npm install in the script folder. Dependencies are fetched from the public npm registry (cosmjs packages) — expected for a Node-based signing tool and not disproportionate to the stated purpose.
Credentials: okThe skill declares no required env vars or credentials. It optionally suggests storing a mnemonic in STRUCTS_MNEMONIC or passing --mnemonic to the script; this is reasonable because the feature inherently handles private keys/secrets. No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide persistence or modify other skills. It can be invoked by the agent (normal default) but has no elevated or permanent privileges.