Structs Streaming
PassAudited by ClawScan on May 14, 2026.
Overview
This instruction-only skill mostly matches its real-time game-event streaming purpose, but users should notice its broad discovery subscription, unencrypted guild-hosted WebSocket endpoint, and unclear wallet/purchase capability signals.
This appears safe to use as a guide for reading GRASS/NATS game events, especially because it has no code or install step. Use the wildcard subscription only briefly, narrow to specific subjects, treat guild-hosted `ws://` data as untrusted/non-private, and do not grant wallet or purchase permissions unless a separate, explicit workflow explains exactly what will be signed or spent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may temporarily see or log more game events than the user specifically asked for.
The skill tells the agent to use a broad NATS wildcard subscription, which can receive unrelated event traffic. It is disclosed, time-bounded, and followed by narrowing guidance, so this is a purpose-aligned note rather than a concern.
Before subscribing to specific subjects, **subscribe to the `>` wildcard** to see all traffic flowing through the GRASS server... Watch the output for 30-60 seconds... narrow your subscriptions
Use the wildcard only for short discovery, avoid saving unnecessary event data, and switch to specific subjects as soon as possible.
Network observers or the guild-operated endpoint may be able to observe or alter event-stream traffic.
The skill relies on a non-TLS WebSocket hosted by a third-party guild. This is disclosed and appears necessary for the stated service, but it affects transport confidentiality and endpoint trust.
A reliable reference endpoint: **`ws://crew.oh.energy:1443`** ... GRASS is hosted by individual guilds and is currently HTTP only — do not rewrite to `wss://`.
Do not send wallet secrets, private keys, or other sensitive credentials over this stream; treat received events as untrusted until verified.
It is harder to verify exactly which release or source the instructions came from.
The embedded _meta.json version differs from the registry metadata version 1.2.2, and the listing has unknown source/no homepage. Because this is instruction-only with no code files, this is a provenance note rather than an executable-code concern.
"slug": "structs-streaming", "version": "1.0.1"
Prefer a publisher-provided source/homepage and consistent package metadata before relying on it for important automation.