ClawHub

Gekko Yield

Security checks across malware telemetry and agentic risk

Overview

This real-money DeFi skill is mostly purpose-aligned, but it needs review because it can sign wallet transactions, sweep wallet USDC during compounding, and trust third-party swap data too broadly.

Install only if you are comfortable reviewing a real-funds wallet tool. Use a dedicated Base hot wallet with limited funds, avoid keeping unrelated USDC in that wallet before running compound, and inspect each approval/swap/deposit transaction carefully before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation indicates capabilities to read environment variables and access the network, yet it does not declare corresponding permissions. This creates a transparency and governance problem: users and hosting platforms may underestimate the skill's access to secrets and external services, especially since it handles a private key and submits on-chain transactions. In a fund-managing DeFi skill, undeclared env/network access materially increases risk because secrets exposure or unexpected external calls could affect real assets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is narrow vault interaction, but the described behavior expands to token swaps through Odos, auto-compounding, third-party pricing/APY queries, and local configuration persistence. That mismatch is security-relevant because users may authorize the skill expecting only deposits/withdrawals while it also trades reward tokens and communicates with additional external services, increasing attack surface and transaction risk. In a financial skill managing real funds, hidden or under-disclosed behavior can lead to unintended approvals, slippage losses, bad routing, or disclosure of wallet-linked activity.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README frames the skill as interacting with a single Moonwell USDC vault, but the auto-compound feature explicitly performs token swaps from WELL and MORPHO into USDC. That discrepancy expands the effective trust boundary and risk surface because swapping introduces additional contracts, routing logic, slippage, and asset-conversion behavior that a user may not expect when approving a 'vault-only' skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest says it is for supplying to, withdrawing from, and checking/reporting on a USDC vault, but this script also performs reward-token swaps through Odos. That materially expands the trust boundary to an external router/API and introduces swap-path, slippage, and routing risk that a user would not expect from a vault-only skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script grants ERC-20 allowances to an external swap router, which is a meaningful asset-transfer capability beyond basic vault deposit/withdraw operations. If the router, approval target, or assembled transaction is compromised or misdirected, approved reward tokens can be spent from the wallet up to the approved amount.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The header says the script auto-compounds rewards into the vault, but the implementation deposits the wallet's entire USDC balance, not only USDC obtained from swapping rewards. This can cause unintended asset movement by sweeping unrelated USDC holdings into the vault, violating user expectations and potentially affecting liquidity needed elsewhere.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The command section presents deposit, withdraw, and compound actions as routine CLI operations without an explicit, prominent warning that they trigger irreversible on-chain transactions involving real funds. Even though a later security section mentions real funds, the absence of transaction-risk warnings at the point of use increases the chance of user error, accidental execution, or misunderstanding of slippage, approval, and loss scenarios. Because this skill directly affects assets on Base, ambiguous operational guidance is more dangerous than in a read-only skill.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This code directly submits signed blockchain transactions via walletClient.writeContract without any user-facing confirmation or policy gate at the point of execution. In an agent skill that can move funds and set token allowances, lack of an explicit confirmation step increases the chance of unintended approvals, deposits, or withdrawals caused by prompt misuse, automation errors, or ambiguous user requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup script explicitly instructs users to place a blockchain private key in an environment variable and emphasizes persistence, but it does not adequately warn that environment variables can be exposed through shell history, process inspection, logs, crash dumps, or inherited subprocess environments. In a wallet-management skill, this is security-sensitive because compromise of the private key would directly enable theft of on-chain assets.

External Transmission

Medium
Category
Data Exfiltration
Content
tokenOut: Address,
  userAddress: Address
): Promise<OdosQuoteResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/quote/v2', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
88% confidence
Finding
Fetch('https://api.odos.xyz/sor/quote/v2', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
95% confidence
Finding
Fetch('https://api.odos.xyz/sor/assemble', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
tokenOut: Address,
  userAddress: Address
): Promise<OdosQuoteResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/quote/v2', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
88% confidence
Finding
https://api.odos.xyz/

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
95% confidence
Finding
https://api.odos.xyz/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal