YieldVault Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent yield-farming skill, but it can autonomously sign and broadcast blockchain transactions with wallet authority, so it needs careful review before any real funds are used.
Review this carefully before installing. It appears purpose-aligned rather than deceptive, but it is an autonomous crypto trading/farming tool with wallet-signing authority. Start only on testnet or with a disposable wallet, verify the source and dependencies, avoid raw private keys for mainnet, require transaction limits and human approval, and do not run it unattended with meaningful funds until the listed mainnet safeguards are implemented and audited.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a funded wallet, the skill could automatically move funds or change DeFi positions, potentially causing financial loss from bugs, bad data, or misconfiguration.
These are high-impact on-chain actions that can move or alter financial positions, and the artifact presents them as automatic agent actions.
**Transaction Executor** - Automatic DEPOSIT, WITHDRAW, HARVEST, COMPOUND, REBALANCE actions
Use only testnet or a disposable wallet first, require explicit approvals or transaction limits, and do not enable mainnet automation until the contracts, strategy, and execution controls are independently reviewed.
Providing a private key or wallet credential gives the skill authority to sign transactions from that wallet.
The skill is expected to use private-wallet signing authority, which can control blockchain assets.
Firma transacciones con wallet privada (ethers.js)
Do not use a wallet containing meaningful funds. Prefer hardware-wallet or multisig signing, narrowly scoped allowances, and clearly declared environment variables or secret storage.
Running this as production/mainnet automation before those controls exist could let bad market data, contract bugs, or execution failures repeat across cycles and affect funds.
The artifact itself says the system is only ready for testnet and still needs mainnet safeguards such as wallet hardening, oracle integration, audits, and emergency pause controls.
Status: ⚠️ READY FOR TESTNET (Requires Mainnet Upgrades)
Treat mainnet use as not production-ready unless the listed upgrades are implemented, tested, audited, and paired with circuit breakers and manual emergency stop procedures.
Once started, the process may continue to take financial actions on a schedule without prompting the user each time.
This describes long-running autonomous behavior that continues making and executing decisions after being started.
**Autonomous Scheduler** - Run farming decisions hourly without manual intervention
Run it under a supervised process with clear stop controls, alerts, spending limits, and logs; avoid unattended operation with real funds.
Vault IDs, action types, amounts, errors, and cycle summaries may be shared with Telegram and anyone who can access the configured chat or bot.
The skill sends transaction/activity metadata to Telegram, an external messaging provider.
Telegram notifications sent automatically for: Execution started (vault_id, action, amount)
Use a private bot/chat, avoid posting sensitive wallet or portfolio details to shared channels, and rotate bot tokens if exposed.
Running the setup may install dependencies and execute local scripts on the user's machine.
The setup instructions run local package installation and deployment scripts; this is expected for a Node/Hardhat blockchain project but still executes code.
cd contracts npm install npm run deploy:testnet
Inspect package files and lockfiles, run in an isolated environment, and keep deployment keys separate from wallets holding real assets.