DeFi Yield Monitor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate read-only DeFi monitor, but it installs and runs unpinned GitHub code that was not included in the reviewed package.
Review and trust the GitHub repository before setup, preferably pin it to a known commit. Add only the wallet addresses you intend to monitor, keep reports private, and enable the optional cron job only if you want ongoing automated reporting.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that actually runs the monitor can change after this review and could perform actions not visible in the supplied artifacts.
The setup installs code from a mutable remote GitHub branch instead of a pinned commit, tag, or reviewed bundled source.
REPO_URL="https://github.com/reed1898/defi-yield-monitor.git" ... git clone "$REPO_URL" "$DIR" ... git pull --ff-only origin main
Only install if you trust the GitHub repository; preferably pin to a reviewed commit/tag and include the runtime source and lockfiles in the skill package.
Wallet addresses and derived DeFi position history can reveal sensitive financial information even though they are not credentials.
The skill stores wallet identifiers and historical yield snapshots to produce reports.
Then edit the config with wallet addresses ... After 7 days of snapshots, `--yield-summary` shows actual realized returns
Use a local machine you trust, avoid adding unrelated wallets, and review or remove stored snapshots/config if you stop using the skill.
Automated reports may expose balances, APYs, health factors, and wallet-linked financial activity to chat platforms or shared channels.
The optional reporting workflow can send portfolio reports to external chat services.
Delivery: announce to user's Telegram/Discord
Enable chat delivery only to private destinations you control and confirm the delivery integration before scheduling reports.
If enabled, the monitor can keep collecting and reporting portfolio data until the scheduled job is removed.
The skill documents a recurring scheduled job that continues running after setup.
Create an OpenClaw cron job to collect snapshots and report yields: Schedule: twice daily
Create the cron job only when you want ongoing reports, and document how to pause or delete it.