Gekko Yield

This skill appears to implement the advertised vault operations, but take these precautions before installing or funding it: - Confirm PRIVATE_KEY handling: inspect scripts/setup.ts and loadConfig() to ensure the private key is only read from the environment (PRIVATE_KEY) and never written to disk or transmitted to a remote server. The registry metadata should also list the required env var — the omission is an inconsistency. - Use a dedicated hot wallet with minimal funds. Do not use your main/CEX wallet private key. - Review setup.ts locally before running. If you cannot read the file, run the code in an isolated VM/container and monitor network traffic. - Verify contract addresses (vault, USDC, Odos router, reward tokens) on Base's block explorers and official Moonwell docs before sending funds. - Check that transaction logs written to ~/.config/gekko-yield/logs don't contain secret data and that config.json only stores the envVar name and RPC preferences. - If you plan to let an AI agent invoke this skill autonomously, be aware the agent could initiate transactions with the provided private key. Consider disabling autonomous use or restricting the agent's ability to send transaction-confirming inputs. If you want, I can (1) scan the remaining truncated files (setup.ts and any omitted files) for private-key persistence or exfiltration patterns, or (2) list the exact lines where PRIVATE_KEY is referenced so you can inspect them yourself.