Back to skill

Security audit

Gekko Yield

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate DeFi yield skill, but it needs review because its compounding command can move real funds using third-party swap data with limited validation.

Install only if you are comfortable with a real-money DeFi tool that can sign transactions from a hot wallet. Use a dedicated Base wallet with limited funds, keep unrelated USDC out of that wallet before running compound, and manually review approvals, swap routes, contract targets, and transaction amounts before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes use of environment-loaded private keys and live RPC/network interactions, but the skill declares no explicit permissions for those capabilities. That creates a transparency and policy gap: an agent or user may invoke a fund-moving skill without clear permission scoping for secret access and external network use. In a DeFi skill that manages real funds, undeclared env and network access materially increases risk because those capabilities are exactly what enable key use and transaction submission.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation advertises an auto-compounding capability in the repository structure even though the skill metadata says the skill is for deposit, withdrawal, status/APY, and reporting. This scope mismatch can cause an agent to invoke fund-moving behavior the user or host platform did not expect, especially because compounding necessarily introduces extra transactions and token swaps beyond simple vault interaction.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
These instructions direct the agent to swap reward tokens through Odos and redeposit proceeds, but that behavior is outside the stated skill scope and materially expands the trust boundary. Aggregator-based swaps add slippage, routing, approval, and third-party execution risk, so hidden or undocumented use of them can lead to unexpected asset conversions and losses.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The README presents the skill as a simple Moonwell USDC vault interface, but it also advertises auto-compounding that swaps reward tokens such as WELL and MORPHO back into USDC. That expands the operational scope from deposit/withdraw/reporting into token trading behavior, which materially changes user risk, slippage exposure, and trust assumptions for a skill that handles real funds.

Description-Behavior Mismatch

Low
Confidence
75% confidence
Finding
Marketing the product as offering 'safe yield' and a specific '~4-6% APY' can mislead users into underestimating smart contract, market, and operational risks, especially when real funds are involved. While this is not a direct code exploit, overstated safety and return claims in a financial skill can cause unsafe user decisions based on incomplete or inaccurate risk disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script’s documented behavior is vault-focused, but it also performs reward-token swaps through an external DEX aggregator before depositing. That expands the trust boundary from a simple vault interaction to arbitrary off-chain route generation and on-chain swap execution, which can cause users to sign transactions they would not reasonably expect from the skill description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script requests quotes and assembled calldata from Odos, approves reward tokens to the router, and then submits the returned transaction target/data with minimal validation. Because the swap path and calldata are sourced from an external service, a compromised or incorrect response could trigger unintended asset movements or approvals beyond the user’s expected vault-only workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file gives operational instructions for deposit, withdrawal, and auto-compound actions that move user funds, but it does not include a clear warning that these are real on-chain financial operations with irreversible consequences, fees, and DeFi risk. In an agent setting, omission of such warnings increases the chance that users authorize actions without understanding vault risk, smart-contract risk, slippage, or tax/accounting effects.

External Transmission

Medium
Category
Data Exfiltration
Content
tokenOut: Address,
  userAddress: Address
): Promise<OdosQuoteResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/quote/v2', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
83% confidence
Finding
Fetch('https://api.odos.xyz/sor/quote/v2', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
88% confidence
Finding
Fetch('https://api.odos.xyz/sor/assemble', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
tokenOut: Address,
  userAddress: Address
): Promise<OdosQuoteResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/quote/v2', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
83% confidence
Finding
https://api.odos.xyz/

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
88% confidence
Finding
https://api.odos.xyz/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/config.ts:224

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/setup.ts:56