ClawHub

Yield Agent

Security checks across malware telemetry and agentic risk

Overview

This DeFi skill is coherent but needs review because it can assist with fund-affecting blockchain workflows and its triggers, privacy impact, and automation examples are not tightly scoped.

Install only if you are comfortable using an agent for DeFi transaction preparation. Use your own Yield.xyz API key, require wallet review and explicit approval for every approval, swap, deposit, claim, withdrawal, rebalance, or broadcast step, and avoid scheduled or multi-wallet tracking unless you accept the local and third-party privacy exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The examples instruct the agent to perform an ETH→USDC swap via a wallet skill even though the skill is described as a yield discovery and position-management tool. That scope expansion is security-relevant because swaps introduce separate trust, pricing, routing, slippage, and approval risks that users may not expect from a yield-specific skill, increasing the chance of unsafe execution or confused-deputy behavior across skills.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The API goes beyond generating transactions and exposes a direct submission endpoint that can broadcast signed transactions to the blockchain. In a yield-management skill, this materially increases risk because an agent or downstream client may move from advisory/build mode into execution mode without an explicit trust boundary, confirmation step, or wallet-side safety warning.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The schema includes governance-style actions such as VOTE, REVOKE, and REVOTE, which expand the permission and action surface beyond narrow yield discovery. Even if some staking ecosystems blend rewards management and governance, exposing these actions in a generic yield skill can let an agent trigger state-changing governance operations users may not expect.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description is broad enough to match generic requests like portfolio management, balances, or yield comparisons, which can cause the skill to be selected in contexts where the user did not clearly intend on-chain transaction preparation. Because this skill can progress from discovery into transaction-building and position management, overbroad routing increases the chance of unintended high-risk financial operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation describes entering, exiting, and managing positions and instructs the agent to sign, broadcast, and submit transaction hashes, but it does not prominently warn the user that these actions can move funds and execute irreversible on-chain transactions. In a financial skill spanning 80+ networks, missing an explicit user-facing risk warning materially increases the chance of accidental authorization or unsafe automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The swap-then-deposit flow presents a multi-step irreversible on-chain sequence without consistently warning about slippage, MEV, price movement, failed intermediate steps, approval risk, or loss of principal in the destination vault. In a financial automation context, omission of these warnings can cause users to authorize transactions they do not fully understand, especially when the example frames the process as routine and already handled.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The rewards-claim example treats claiming as a simple portfolio action, but it is still an on-chain state-changing transaction that can incur gas costs and may require signing. Without warning users that wallet state will change and fees may apply, the example normalizes transactional actions as if they were read-only checks, which can mislead users into unintended authorization.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The balance endpoints require wallet addresses and can perform broad scans across yields and networks, which reveals sensitive portfolio and behavioral data to the remote API. Because the skill targets on-chain portfolio management across many networks, the aggregation capability makes privacy exposure more significant than a single-purpose balance lookup.

Missing User Warnings

High
Confidence
96% confidence
Finding
The action-creation and transaction-submission endpoints prepare and submit blockchain transactions that can stake, withdraw, claim, vote, or otherwise affect user funds, yet the API descriptions do not prominently warn that these are state-changing financial operations. In this skill context, that omission is especially dangerous because users may assume they are only discovering yields rather than authorizing actions with irreversible on-chain consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents persistent storage of wallet addresses, positions, rewards, and preferences in a local JSON file, but does not clearly warn users about retention, local exposure, or the sensitivity of behavioral financial metadata. Even though the data is local, it can reveal wallet ownership correlations, portfolio composition, and activity history to other local users, malware, backups, or logs, increasing privacy and targeting risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises multi-wallet overview plus scheduled checks and alerts, which implies ongoing monitoring of wallet activity over time, but it does not clearly obtain informed consent or explain the monitoring scope. In a financial/on-chain context, continuous tracking can build sensitive profiles of assets, habits, and timing, making the feature more privacy-sensitive than generic scheduling.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic phrases such as "stake," "lend," "deposit," "withdraw," and "check balance" that are common across many benign finance or wallet interactions. In an agent ecosystem, overly broad triggers can cause unintended activation of a skill that builds on-chain transactions, increasing the chance of confusing users, routing requests to the wrong skill, or initiating high-impact financial workflows without sufficiently specific intent.

Missing User Warnings

High
Confidence
93% confidence
Finding
The manifest description advertises transaction building and portfolio management but omits any warning that the skill can facilitate irreversible on-chain financial operations. In this context, missing risk disclosure is dangerous because users or orchestrators may treat the skill as informational when it can lead to deposits, withdrawals, staking, lending, or claims that affect assets across many networks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal