Back to skill
Skillv1.0.0
ClawScan security
DeFi Yield Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and external calls are consistent with its stated purpose (aggregating DeFi yields from DefiLlama) and it does not request unrelated credentials or system access.
- Guidance
- This skill appears internally consistent and only calls the public DefiLlama yields API. Before installing: (1) confirm you trust the unknown owner since the repo has no homepage; (2) ensure the runtime has Python and the 'requests' library (the script uses requests but no dependency is declared); (3) note that the SKILL.md mentions a per-call charge (0.001 USDT) but the code does not perform any billing — verify how billing/enforcement works in your environment; (4) be aware the skill makes outbound HTTP requests to yields.llama.fi (no secrets are sent), so if your environment restricts network access or you require vetted data sources, consider that dependency; (5) understand APY/TVL figures are pulled from DefiLlama and should be independently validated before acting on financial decisions.
Review Dimensions
- Purpose & Capability
- okName/description match the included code: the script queries the public DefiLlama yields API, filters/sorts pools and formats results. No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- noteSKILL.md describes functionality and per-call pricing but does not provide runtime billing mechanics; the included script only performs an HTTP GET to yields.llama.fi and formats results. There is no instruction to read local files, secrets, or send data to unexpected endpoints, but the billing claim ('已扣费 0.001 USDT') is not implemented in code and is therefore a minor inconsistency the user should understand.
- Install Mechanism
- okNo install spec or external installers are used. This is an instruction-only skill with an included Python script; nothing is downloaded from arbitrary URLs and no archives are extracted.
- Credentials
- okThe skill requests no environment variables or credentials. The only external access is to the public DefiLlama API (https://yields.llama.fi/pools), which is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system-wide settings. The skill does not demand persistent presence or elevated privileges.