Web3 Yield Automator
WarnAudited by ClawScan on May 10, 2026.
Overview
Review before installing: it advertises hands-free DeFi fund movement and paid premium automation, but the included code is mostly a stub and wallet/transaction permissions are not clearly defined.
Do not connect valuable wallets or provide private keys/seed phrases. If you still evaluate it, use a read-only address or a test wallet, verify the npm package/source, and require explicit transaction signing plus documented spending limits before allowing any real DeFi automation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If taken at face value, the agent could be asked to run autonomous financial actions that move funds across chains without clear user control.
The skill frames high-impact financial actions as hands-off automation, but the artifacts do not define per-transaction approval, spending limits, slippage/gas caps, rollback, or a kill switch.
**The only skill that automates DeFi yield farming across 10+ chains with ZERO manual intervention.**
Do not use this for real funds unless every transaction requires explicit wallet confirmation and the skill documents limits, approvals, logs, and emergency stop controls.
A user may not know what wallet authority the skill needs or whether it could request broad signing/spending permissions.
The capability signals indicate wallet/sensitive-credential and purchase authority, but the declared credential contract does not specify what wallet access is needed, how signing works, or how permissions are scoped.
Primary credential: none ... Capability signals: requires-wallet; can-make-purchases; requires-sensitive-credentials
Require a clear credential model before use: never provide seed phrases/private keys, use a hardware wallet or read-only address where possible, and limit any approvals to small, revocable allowances.
Users could trust or pay for a financial automation product whose included implementation does not match the advertised capabilities.
The included code says the real automation logic is not present, while SKILL.md markets the skill as a premium $299 automator with active DeFi features and ROI claims.
// Stub for actual DeFi automation logic ... console.log('\n⚡ Full automation logic deployed on purchase.');Treat the marketing claims as unverified until the complete implementation, licensing terms, and audited transaction logic are available for review.
Installing a global npm package gives that package a local executable on the machine.
A global npm install is a normal way to install a CLI, but here it is user-directed from an unknown source with no homepage shown and no registry install spec declaring the setup.
npm install -g web3-yield-automator
Verify the npm package publisher, source repository, and package contents before installing globally.
Wallet identifiers and strategy settings can remain on disk and influence later runs.
The CLI persists wallet addresses and risk settings to a local config file for reuse across commands, which is expected for this kind of tool but should be visible to users.
const CONFIG_PATH = path.join(__dirname, 'config.json'); ... config.wallets.push(wallet); saveConfig();
Document the config file location, protect its permissions, and provide a clear cleanup/reset command.