by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill looks like a straight mapping of CLI commands for managing Structs permissions, but it omits important operational details. Before installing or allowing the agent to use it: (1) Confirm the environment actually has the `structsd` CLI and that you trust that binary. (2) Understand where signing keys live — do not expose private keys or unlock a wallet to the agent unless you explicitly intend it to submit transactions. (3) Prefer running in a testnet or with dry-run steps until you ve...详细分析 ▾
⚠ 用途与能力
The SKILL.md repeatedly calls the CLI binary `structsd` and shows TX_FLAGS that require a signer (e.g. `--from [key-name]`), but the skill metadata declares no required binaries, env vars, or config paths. A permission-management skill reasonably needs the `structsd` CLI and access to a signing key / node endpoint; those are missing from the declared requirements.
⚠ 指令范围
Instructions direct the agent to run transaction commands (e.g. `structsd tx structs permission-grant-on-object ... -y`) that will modify on-chain state and require signing. The SKILL.md does not describe how signing keys are provided, whether a dry-run option should be used, or safeguards to prevent accidental submission. There is no guidance about network/rpc configuration (testnet vs mainnet).
ℹ 安装机制
This is instruction-only (no install spec), which lowers installer risk. However, because it relies on an external CLI (`structsd`) being present, the absence of a declared install step or requirement means the skill assumes the environment has that tool installed — an implicit dependency that the metadata does not state.
⚠ 凭证需求
No environment variables, credentials, or config paths are declared, yet the workflow requires a signer (`--from [key-name]`) and likely access to local keyrings or node endpoints. The skill does not justify or declare access to wallet keys or node RPC endpoints; this mismatch could lead to unexpected credential use if the agent is allowed to run commands.
✓ 持久化与权限
always is false and there is no install hook or self-modifying behavior. The skill does not request elevated persistence or modification of other skills/configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.02026/3/2
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install structs-diplomacy
镜像加速npx clawhub@latest install structs-diplomacy --registry https://cn.longxiaskill.com