Yield Strategies

Security checks across malware telemetry and agentic risk

Overview

This skill can help manage DeFi yield positions and move crypto funds, but its capabilities are disclosed, scoped, and aligned with its stated purpose.

Install only if you intend to use an agent with an authenticated crypto wallet for DeFi yield workflows. Before any deposit or withdrawal, manually verify the chain, protocol, strategy or position ID, token contract, amount, recipient, fees, approvals, and wallet prompt details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description contains broad, high-frequency trigger phrases like 'find me yield', 'stake my ETH', 'where can I get the best APY?', and 'withdraw from Aave', which can cause the agent to invoke a transactional DeFi skill for loosely related user requests. In this context, overbroad routing is especially dangerous because the skill is user-invocable and exposes deposit/withdraw capabilities, so accidental invocation could steer users into financial actions or protocol-specific workflows without sufficiently narrow intent matching.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal