Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
defi gym
v1.0.0Register an agent, fund its Base chain wallet, swap ETH to USDC on Uniswap V3, earn yield via Morpho, deploy a token, and receive an NFT reward.
⭐ 0· 347·0 current·0 all-time
byphi@ramitphi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (onboard an agent, fund a Base wallet, swap, earn, deploy token, mint NFT) align with the SKILL.md flow. However, the flow relies on creating embedded/custodial wallets via Privy and executing transactions through an external API under the skill operator's control — which is a legitimate design for a DeFi 'gym' but requires explicit trust in the remote operator.
Instruction Scope
Instructions instruct callers to 1) call an external Supabase function API (uxkikwwngosiiownhttr.supabase.co) to create wallets and agent records, 2) deposit real ETH to addresses returned by that API, and 3) let the API perform on-chain operations (swap, yield, deploy token). The SKILL.md states 'No authorization header required', implying the API will accept calls without caller-specific auth and will manage wallets/transactions itself — this grants the remote service direct control over funds you send to it and is a material security/privacy risk.
Install Mechanism
Instruction-only skill with no install spec or code files. That minimizes on-device installation risk (nothing is written/executed locally by the skill itself).
Credentials
The skill requests no environment variables or credentials, which is consistent with an API-driven design. However, the API handles authentication and wallet keys server-side (not disclosed). The absence of required credentials means you must rely on the third-party operator for custody and authorization — a centralization/trust concern that should be explicitly considered.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not combined here with other elevated privileges.
What to consider before installing
This skill will ask you (or your agent) to send real ETH to wallet addresses created and managed by an external service at a random-looking Supabase subdomain. Before using it: 1) Do not send significant funds — test with minute amounts on a testnet or with < $1 first. 2) Verify the operator: ask for source code, smart-contract addresses, and audits; check the docs link and confirm contracts used for swaps/earning are public and audited. 3) Prefer using your own non-custodial wallet where you control private keys; avoid sending funds to addresses you don't control. 4) If you proceed, monitor on-chain transactions and retain tx hashes; custody and recovery depend entirely on the remote service. 5) If you need stronger assurance, request an explanation of why no auth is required and how the service prevents abuse and protects deposited funds.Like a lobster shell, security has layers — review code before you run it.
latestvk972kw9avbfn3k4r8gzef0584x823gz0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.