Skillv0.1.5

ClawScan security

Yield Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 12, 2026, 12:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (wrapping the Yield.xyz API via curl/jq scripts); the bundled scripts, instructions, and required binaries align with on‑chain yield discovery and transaction construction, but review the shipped API key, wallet integration, and state persistence before using in production.
Guidance: This skill appears to do what it claims: it queries Yield.xyz, constructs unsigned transactions, and expects a wallet skill to sign and broadcast them. Before installing: - Replace the embedded shared API key in skill.json with your own YIELDS_API_KEY (the manifest includes a 'free shared key' for convenience). Do not rely on a shared key in production. - Review and trust the wallet skill you pair with this (Crossmint/Privy/Portal/Turnkey). The yield-agent will hand unsigned transactions to that wallet for signing; never provide private keys to this skill. Follow its wallet integration docs. - Be aware the skill may persist a small state file (positions, addresses, alerts) under the skill's state directory (~/.openclaw/skills/yield-agent/state or the skill state/ path). If you run Superskills or scheduling, expect periodic checks and stored metadata; audit or clear that state if needed. - The SKILL.md and scripts repeatedly warn: do NOT modify unsignedTransaction returned by the API — changing it can cause loss of funds. Follow that rule strictly. - The package references an OpenAPI spec and many examples; if provenance matters, verify the upstream repository (the README points to a GitHub org 'stakekit/yield-agent') and confirm the publisher before trusting for production. If you want a stricter review, provide the untruncated openapi.yaml and the identity/URL used to publish this skill so I can check for surprises (hidden endpoints, unexpected third-party hosts, or additional embedded keys).
Findings: [base64-block] expected: The SKILL.md and reference docs include many base64/hex examples of unsignedTransaction encodings for different chains (Sui/Aptos/Solana/etc.), which likely triggered this pattern. This appears to be example data/formatting needed for multi-chain signing, not a prompt-injection attempt.

Review Dimensions

Purpose & Capability: okName/description match what the skill does: all scripts call the Yield.xyz API, and required binaries (curl, jq) are appropriate. The skill does not request unrelated credentials or system access.
Instruction Scope: okSKILL.md and scripts consistently instruct the agent to fetch yield metadata, build actions, and hand unsigned transactions to a wallet skill for signing. The instructions explicitly forbid modifying unsignedTransaction, and the scripts only call the declared API endpoints and read the local skill manifest for configuration.
Install Mechanism: okNo remote download/install steps are declared in the package metadata; the skill is delivered as code files and uses only curl/jq at runtime. No arbitrary external installers or URL downloads are used by the skill itself.
Credentials: noteThe skill requires no secrets at runtime, but skill.json ships a shared API key (api.apiKey) and baseUrl. This is convenient for getting started but means the package includes an embedded API key—replace with your own YIELDS_API_KEY for production. The skill does not request unrelated credentials.
Persistence & Privilege: okalways is false and model invocation is allowed (normal). The package documents and may use a local state file (state/yield-cache.json under the skill directory or ~/.openclaw/...), which is expected for monitoring/superskill features. The skill does not attempt to modify other skills or system-wide configs.