Back to skill
Skillv1.0.0
ClawScan security
n0ir DeFi Yield Scout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 1:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested resources are coherent with its stated purpose (scanning USDC yield opportunities using DeFiLlama); it requires no credentials and has no unusual install steps.
- Guidance
- This skill appears to do what it says: it queries DeFiLlama, filters to a small whitelist of protocols, and presents scan/breakeven/history analyses. Before installing, consider: (1) the source and homepage are unknown — verify you trust the publisher and review the included Python file yourself; (2) the skill fetches live data from yields.llama.fi and writes a cache file in your temp directory (not sensitive, but note it persists data for 15 minutes); and (3) this is informational only — always verify on-chain before moving funds. No credentials are requested, and there are no downloads or unusual privileges.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the Python CLI fetches pool and chart data from DeFiLlama, filters to the listed whitelisted protocols and L2 chains, and implements scan/breakeven/history/protocols subcommands described in SKILL.md.
- Instruction Scope
- okSKILL.md directs the agent to run the included Python script and to use DeFiLlama as the data source. The runtime instructions do not ask the agent to read unrelated files or environment variables. The script only reads/writes a cache file in the system temp directory and calls the DeFiLlama endpoints declared in the code.
- Install Mechanism
- okNo install spec is provided (instruction-only with bundled script). The code uses only Python stdlib and performs a harmless cache write to the system temp directory; there are no downloads from untrusted URLs or package installs.
- Credentials
- okThe skill requests no environment variables, no credentials, and only queries public DeFiLlama endpoints. No secret or unrelated service access is required.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide configuration. It persists only a temporary cache file (yield_scout_pools.json) in the OS temp directory.