Morpho Earn - earn safe yield on your USDC on Base
Security checks across malware telemetry and agentic risk
Overview
This DeFi skill is coherent but needs careful review because it can load a wallet private key and automatically sign transactions involving real funds.
Only install this if you are comfortable letting an agent use a dedicated hot wallet for DeFi transactions. Do not use your main wallet, limit the funds in the wallet, disable auto-compound unless you explicitly want it, inspect HEARTBEAT.md after setup, and review the transaction scripts and npm dependencies before signing or automating anything.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured wallet key, script behavior, or dependencies are compromised, funds in that wallet could be moved or locked in unintended transactions.
A wallet private key gives transaction-signing authority over the wallet's funds. This is coherent for DeFi automation, but it is a major permission boundary and the registry metadata does not declare a primary credential.
⚠️ **This skill manages real funds. Review carefully:** - Private keys loaded at runtime from your chosen source
Use only a dedicated hot wallet with limited funds, review the scripts before use, avoid using a main wallet, and confirm the registry metadata accurately declares the wallet credential requirement.
The agent can claim rewards, approve/swap tokens, and deposit USDC, which may incur gas costs, slippage, smart-contract risk, or unintended position changes.
The compound command chains multiple on-chain financial actions using the wallet key. This is the advertised purpose, but it is high-impact automation and the visible workflow does not require a fresh manual approval for each transaction.
This script: * 1. Checks for claimable rewards and claims them * 2. Swaps reward tokens (MORPHO, WELL, etc.) to USDC via Odos aggregator * 3. Deposits the USDC into the Moonwell vault
Run compound manually at first, keep auto-compound disabled unless you understand the flow, and require explicit approval for any deposit, withdrawal, swap, or approval transaction.
A future agent run could perform financial actions based on stored heartbeat instructions rather than a fresh user request.
Auto-compounding defaults to yes unless the user answers no, and setup can add persistent instructions for the agent to run the compounding command later.
const autoInput = await ask(rl, 'Auto-compound when threshold reached? [Y/n]: '); const autoCompound = autoInput.toLowerCase() !== 'n'; ... entry += ` - Run \`npx tsx compound.ts\` to claim and reinvest\n`;
Choose 'n' for auto-compound unless you explicitly want autonomous operation, inspect HEARTBEAT.md after setup, and remove any scheduled compounding instructions you do not want.
A malformed or tampered local config could affect the 1Password command used to retrieve the wallet key.
The static scan shows shell execution to read a 1Password item. This is expected for the documented 1Password wallet option, but shelling out with interpolated config values is a sensitive implementation detail.
key = execSync(`op read "op://${item}/${field}"`, { encoding: 'utf-8' }).trim();Use the setup wizard-generated config, keep config files protected, and review scripts/config.ts before enabling the 1Password credential source.
Installing dependencies can execute or load third-party package code in the local environment.
The skill relies on npm installation and npx execution even though the registry says there is no install spec. This is common for Node/TypeScript skills, but it makes dependency provenance relevant.
"setup": "cd scripts && npm install && npx tsx setup.ts"
Install only from a trusted source, verify the repository and package-lock, and avoid running npm install from an unreviewed copy.
Users may underestimate smart-contract, market, wallet, automation, or hot-key risk.
The skill uses strong safety-oriented marketing language for a DeFi strategy. The same artifact also warns that real funds are involved, which mitigates but does not remove the need for user caution.
# Morpho Earn — Earn safe yield on your USDC The Moonwell Flagship USDC vault is one of the **safest places to earn yield on Base**
Treat the yield strategy as risky despite the safety language, start with a small amount, and independently verify the vault and contract addresses.