Back to skill
Skillv0.1.5
VirusTotal security
Yield Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:45 AM
- Hash
- c87e9376b226f9e84d3c90219bead759a9f609a40da59d5dd93edf3f2af6e55b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yield-agent Version: 0.1.5 The skill is classified as suspicious primarily due to the inclusion of a default, shared API key (`b40dd85f-d89e-48da-a2b3-ec04fae106dc`) in `skill.json`. While the `_apiKeyNote` explicitly advises replacing it for production, its presence as a default poses a vulnerability if used without replacement, potentially leading to unauthorized access or rate limiting issues for the shared key. The shell scripts (`scripts/*.sh`) correctly sanitize user inputs and construct JSON payloads using `jq` to prevent shell injection. Furthermore, the `SKILL.md` and `references/safety.md` files contain strong, explicit instructions for the AI agent to never modify transactions, always seek user confirmation for financial operations, and adhere to configurable safety guardrails, actively mitigating prompt injection risks and demonstrating a clear intent to operate safely within the high-risk domain of DeFi transactions via `https://api.yield.xyz`.
- External report
- View on VirusTotal