ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Structs Power

v1.2.0

Manages power infrastructure in Structs. Covers substations, allocations, player connections, and power monitoring. Use when power is low or overloaded, crea...

0· 309·0 current·1 all-time
by@abstrct
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md actions (creating substations/allocations, connecting players, queries) align with the skill name and description. This is a coherent set of capabilities for a 'power management' skill for Structs.
Instruction Scope
All runtime instructions are concrete structsd CLI commands and queries; they stay within the stated domain (power/substations/allocations). However the instructions require submitting transactions (TX_FLAGS) with a '--from [key-name]' which implies the agent will need access to a local keyring or wallet configuration—this is not declared in the metadata.
Install Mechanism
The skill is instruction-only (no install spec), which is the lowest install risk. That said, it implicitly depends on the 'structsd' CLI being present on the host; the package metadata lists no required binaries, which is inconsistent with the instructions.
!
Credentials
requires.env lists none, but TX_FLAGS include '--from [key-name]' and the commands will use whatever keyring/config 'structsd' has access to. The skill may cause the agent to read local wallet keys or sign transactions. The lack of declared binary or credential requirements is a proportionality/visibility concern.
Persistence & Privilege
always:false and no install/write operations. The skill does not request persistent presence or system-level configuration changes in its files. The main risk is transactional (it will instruct the agent to submit on-chain txs if executed).
What to consider before installing
This skill appears to do what it says (manage substations/allocations via the structsd CLI), but it assumes the structsd binary and access to local signing keys (the TX_FLAGS --from value). The registry metadata does not declare these dependencies and there is no homepage/source to verify the author. Before installing or enabling autonomous use: (1) confirm you trust the skill owner and the source; (2) ensure structsd is installed intentionally and understand which local key the agent would use to sign transactions; (3) avoid giving the agent access to high-value keys—test in a sandbox or with a low-privilege key; (4) consider disabling autonomous invocation if you do not want the agent to submit transactions without manual approval. Also note a minor metadata mismatch: _meta.json shows version 1.0.1 while registry metadata lists 1.2.0 and there is no homepage—these reduce provenance confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ambtwf5s1c0w842xse1e01d83wybz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments