ClawHub

Gekko Yield

Earn yield on USDC by supplying to the Moonwell Flagship USDC vault on Base. Use when depositing USDC, withdrawing from the vault, checking position/APY, or generating yield reports.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.4k · 0 current installs · 0 all-time installs
bySerge@Sergey1997
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description, CLI commands and included scripts all align with earning yield on Moonwell USDC on Base (deposit/withdraw/status/compound/report). However the skill metadata declares no required environment variables while the scripts expect a PRIVATE_KEY environment variable and write/read config/log files under ~/.config/gekko-yield. The missing declared env var is an incoherence that affects user consent and risk understanding.
!
Instruction Scope
Runtime instructions and scripts do what they claim (interact with the vault, call Odos for swaps, query CoinGecko). But compound.ts calls the Odos 'assemble' endpoint which returns a ready-to-send transaction and the script sends it with walletClient.sendTransaction without validating that the assembled transaction targets only known, expected contracts (e.g., verifying assembled.transaction.to equals the expected Odos router). Relying on an external service to produce raw transactions for immediate signing and broadcast increases the blast radius if that external endpoint is compromised or malicious. The skill also instructs storing config/logs in the user's home directory and to put the private key in an env var — that is expected for on‑chain tooling but should be clearly declared in metadata (it is not).
Install Mechanism
No binary install spec; scripts are Node/TypeScript and use standard npm/pnpm dependencies (viem, tsx). This is proportionate to the described functionality. Nothing is downloaded from an untrusted URL in the manifest.
!
Credentials
The scripts require a wallet private key (PRIVATE_KEY) at runtime (and also read HOME for config/log paths), but the registry metadata lists no required environment variables or primary credential. Asking for a private key is expected for a wallet-managing DeFi tool, but it must be declared up front so users can make an informed risk decision; the omission is a significant coherence/consent issue.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It writes its own config and logs under ~/.config/gekko-yield (normal for CLI tools). It does not modify other skills or global agent settings in the provided files.
What to consider before installing
This skill appears to implement the described Moonwell USDC vault actions, but exercise caution before installing or running it with real funds: - Private key handling: The scripts expect you to provide a PRIVATE_KEY environment variable, but the skill metadata does not declare this. Only run after you understand this and only use a dedicated hot wallet with limited funds. - External assembler risk: The compound flow asks Odos (https://api.odos.xyz) to assemble a ready-to-sign transaction and then sends it as-is. An attacker or a compromised Odos endpoint could return a transaction that drains funds or calls unexpected contracts. Prefer to run code locally, inspect the assembled transaction (confirm 'to' address and calldata) before signing, or modify the code to validate assembled.transaction.to === ODOS_ROUTER and/or to simulate the assembled tx before sending. - Audit the code: If you will run this skill, review the setup.ts/loadConfig implementation to confirm nothing writes your private key to disk. Confirm that 'verifyContracts' actually checks the addresses you expect. Consider enabling simulation-only mode when testing. - Operational precautions: Use a dedicated wallet with minimal USDC and ETH for gas, confirm contract addresses independently (e.g., BaseScan), and run the scripts locally rather than trusting remote execution. If you are not able to review or run the code yourself, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b1bsmbkqwa3jarh1p2wapsn80cdbd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦎 Clawdis
Binsnode

SKILL.md

Gekko Yield — Earn safe yield on USDC

Earn yield on USDC via the Moonwell Flagship USDC vault on Base.

Vault: 0xc1256Ae5FF1cf2719D4937adb3bbCCab2E00A2Ca
Chain: Base (8453)
Asset: USDC (0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913)

Why This Vault?

The Moonwell Flagship USDC vault is one of the safest places to earn yield on Base:

  • Powers Coinbase — Provides $20M+ liquidity to Coinbase's BTC/ETH borrow products
  • Blue-chip collateral only — Loans backed by ETH, cbETH, wstETH, cbBTC
  • Conservative LTV ratios — Healthy collateral requirements
  • Isolated markets — Risk is compartmentalized
  • Battle-tested — Morpho's codebase is <650 lines, immutable, extensively audited
  • Multi-layer governance — Moonwell DAO + Block Analitica/B.Protocol curators

Current APY (~4-6%)

ComponentAPYSource
Base yield~4-5%Borrower interest
Rewards~0.5-1%WELL + MORPHO via Merkl
Total~4.5-6%Sustainable, from real demand

Yields come from real borrowing demand, not unsustainable emissions.

Quick Start

cd gekko-yield/scripts
pnpm install  # or npm install
npx tsx setup.ts

The setup wizard will:

  1. Guide you to set your private key as environment variable
  2. Save configuration to ~/.config/gekko-yield/config.json

Commands

Interactive Setup

npx tsx setup.ts

Guides you through wallet configuration.

Check Position & APY

npx tsx status.ts

Returns: current deposit, vault shares, APY, wallet balances, estimated earnings.

Generate Report

# Telegram/Discord format (default)
npx tsx report.ts

# JSON format (for automation)
npx tsx report.ts --json

# Plain text
npx tsx report.ts --plain

Deposit USDC

npx tsx deposit.ts <amount>
# Example: deposit 100 USDC
npx tsx deposit.ts 100

Deposits USDC into the Moonwell vault. Handles approval automatically.

Withdraw

# Withdraw specific amount of USDC
npx tsx withdraw.ts <amount>

# Withdraw all (redeem all shares)
npx tsx withdraw.ts all

Auto-Compound

npx tsx compound.ts

All-in-one command that:

  1. Checks wallet for reward tokens (WELL, MORPHO)
  2. Swaps them to USDC via Odos aggregator
  3. Deposits the USDC back into the vault

Configuration

Config location: ~/.config/gekko-yield/config.json

{
  "wallet": {
    "source": "env",
    "envVar": "PRIVATE_KEY"
  },
  "rpc": "https://mainnet.base.org"
}

Security

⚠️ This skill manages real funds. Review carefully:

  • Private keys loaded at runtime from environment variable
  • Keys never logged or written to disk by scripts
  • All transactions simulated before execution
  • Contract addresses verified on each run
  • Scripts show transaction preview before sending

Recommended Setup

  1. Dedicated wallet — Create a hot wallet just for this skill
  2. Limited funds — Only deposit what you're comfortable having in a hot wallet
  3. Keep gas funded — Maintain small ETH balance on Base for transactions

Error Handling

ErrorCauseFix
Insufficient USDCNot enough USDC in walletBridge/transfer more USDC to Base
Insufficient gasNot enough ETH for txAdd ETH to wallet on Base
Wallet not configuredMissing configRun npx tsx setup.ts
PRIVATE_KEY not setMissing env varSet $env:PRIVATE_KEY="your-key"

Dependencies

Scripts require Node.js 18+. Install deps before first run:

cd scripts && pnpm install

Packages used:

  • viem — Ethereum interaction
  • tsx — TypeScript execution

Built by Gekko AI. Powered by ERC-8004.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…