Web3 Yield Automator PRO
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: web3-yield-automator-pro Version: 2.0.0 The skill bundle is a non-functional stub for a 'premium' $299 DeFi tool, containing only basic CLI configuration logic in index.js and no actual yield farming functionality. It is classified as suspicious because it directs users to install an external global NPM package (web3-yield-automator) and contact an external handle (@Thedarksideofthemood45) for licensing, which effectively bypasses the security review of the functional code and could facilitate a scam or supply chain attack.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If real signing authority were connected, an agent could move or rebalance crypto assets in ways that are hard to reverse and may cause financial loss.
The skill advertises autonomous, direct financial transactions across chains but does not define approval prompts, transaction limits, or safety controls.
automates DeFi yield farming across 10+ chains with ZERO manual intervention ... Rebalances funds ... Smart Contract Integration - Direct on-chain execution
Do not grant transaction-signing authority unless every transaction requires explicit wallet approval and the strategy has audited limits, caps, and a clear emergency stop.
Users may be asked later to provide wallet access, private keys, or signing permissions without a clear declared boundary.
The artifacts signal wallet/sensitive-credential and purchase authority, while the declared credential contract says none, leaving unclear what privileges the skill would need or use.
Primary credential: none; Required env vars: none; Capability signals: requires-wallet, can-make-purchases, requires-sensitive-credentials
Never provide seed phrases or private keys. Require a documented wallet-connection model, exact permissions, supported chains/protocols, and manual confirmation for all transactions.
A user could pay for or trust a financial automation tool whose provided artifacts do not demonstrate the promised functionality.
The shipped code is only a stub, while the skill description sells premium automation and specific yield/ROI claims.
// Stub for actual DeFi automation logic ... Full automation logic deployed on purchase.
Treat the advertised returns and premium claims as unverified. Require working reviewed code, independent audits, and clear licensing before paying or relying on it.
Users may install or run code from an external npm package that is not clearly tied to the reviewed artifacts.
The registry metadata lacks provenance, while the included package files identify a different package/version and SKILL.md instructs a global npm install, reducing confidence that the reviewed code matches what users install.
Source: unknown; Homepage: none; Version: 2.0.0
Verify the npm package owner, version, hashes, and source repository before installing; avoid global installs for high-impact crypto tools unless provenance is clear.
Wallet addresses are public on-chain, but storing and linking them locally with strategy settings can still reveal financial activity or preferences.
The CLI stores wallet addresses and strategy settings persistently in a local config file.
const CONFIG_PATH = path.join(__dirname, 'config.json'); let config = { wallets: [], risk: 'moderate', minApy: 8, chains: [] };Use watch-only or test wallets first, know where the config file is stored, and delete it if you uninstall or no longer want the association retained.