ClawHub
Back to skill
v1.0.0

Gekko Strategist

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This instruction-only DeFi strategy skill is coherent and disclosed, but it sends strategy inputs to an external Gekko A2A API and users should verify vault safety claims before acting.

GuidanceThis skill appears safe to install as an instruction-only advisory integration, but treat its output as financial guidance rather than guaranteed results. Verify the Gekko endpoint, confirm vault addresses and audits independently, and do not provide sensitive wallet or portfolio information unless you trust the external service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The skill depends on a remote financial strategy service, but the registry metadata provides limited provenance information for users to verify the provider.

User impactYou may be relying on an external DeFi strategy service whose source and homepage are not documented in the registry.
RecommendationConfirm the maintainer and the gekkoterminal.ai endpoint before sending portfolio details or acting on recommendations.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
All strategy allocations target audited, open-source vault contracts. ... Smart contracts are subject to third-party audits, formal verification, and bug bounty programs.

The documentation makes broad safety assurances about DeFi vaults without including audit links or verification details. This is not evidence of malicious behavior, but users should not treat it as a guarantee.

User impactUsers could overestimate the safety of recommended vaults or strategies.
RecommendationIndependently verify each vault address, audit status, and current risk before depositing funds; audits do not eliminate DeFi risk.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
API endpoint: `https://gekkoterminal.ai/api/a2a?agent=strategist`

The core workflow sends strategy parameters such as capital, risk tolerance, and strategy objects to a disclosed external A2A endpoint.

User impactFinancial preferences, capital amounts, and strategy details may be processed by an external service.
RecommendationShare only information needed for the strategy task, and avoid sending private wallet details or sensitive holdings unless you trust the provider.