Yield Farming Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent DeFi automation skill, but it can autonomously sign and execute financial transactions and its production/mainnet readiness is not scoped tightly enough.

Install only for testnet or a low-balance wallet unless you have reviewed the code and contracts. Do not provide a mainnet private key until you add hardware-wallet or multisig signing, explicit transaction limits and allowlists, audited production contracts, monitored emergency pause controls, and clear log/Telegram data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation indicates use of environment variables for sensitive configuration such as RPC endpoints and potentially signing material, but no explicit permissions are declared to reflect that capability. In an autonomous agent that can sign and broadcast blockchain transactions, undeclared access to env increases the risk of hidden secret consumption and makes operator review and sandboxing less effective.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The described skill behavior understates several impactful capabilities: external Telegram notifications, contract deployment/tooling, filesystem writes, and broader testing/utilities. In a financial automation context, capability mismatch is dangerous because reviewers may approve a yield-farming agent expecting only deterministic on-chain actions, while the package also exfiltrates data externally, modifies local state, and includes deployment paths that could affect contracts or infrastructure.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The ABI exposes administrative pause() and unpause() functions in a skill advertised as autonomous and deterministic yield farming, introducing centralized control over execution. If the agent or an operator can invoke these methods, vault operations can be arbitrarily halted or resumed, creating a denial-of-service and trust mismatch for users who may assume uninterrupted, deterministic behavior.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The README describes a stub contract for BNB Testnet agent integration, while the skill metadata presents an autonomous yield-farming agent for BNB Chain more broadly. This mismatch can cause operators or downstream agents to treat testnet-only, non-production-safe contract logic as representative of live execution behavior, increasing the risk of unsafe deployment or incorrect trust assumptions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The README simultaneously claims the contract is 'Ready for Deployment' and later admits it is a stub, unaudited, with limited error handling and no reentrancy guards. In a financial smart-contract context, this contradiction is dangerous because it can mislead users or automation into deploying or integrating an unsafe contract that handles funds.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The compound function mints new shares from an invented yield amount without receiving any external assets, while also increasing totalAssets, effectively creating unbacked accounting value. This dilutes share pricing, breaks vault solvency assumptions, and can be abused to inflate a user's claim on withdrawals at the expense of real depositors. In a yield-farming agent skill, such false accounting is especially dangerous because automation may rely on these balances for portfolio decisions.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The compound function mints new shares from an invented yield amount without receiving any external assets, while also increasing totalAssets, effectively creating unbacked accounting value. This dilutes share pricing, breaks vault solvency assumptions, and can be abused to inflate a user's claim on withdrawals at the expense of real depositors. In a yield-farming agent skill, such false accounting is especially dangerous because automation may rely on these balances for portfolio decisions.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The module silently expands from transient Telegram alerting into persistent local data retention by writing notification history to disk. Those notifications can contain operational details, errors, vault identifiers, transaction hashes, and contextual data, so storing them locally increases exposure to sensitive information leakage, unauthorized access, and unintended long-term retention beyond the stated role of the component.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal