Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DefiLlama MCP Setup
v1.0.0Install and configure the DefiLlama MCP server for DeFi analytics. Provides 23 tools for TVL, token prices, yields, protocol metrics, stablecoins, bridges, E...
⭐ 0· 77·0 current·0 all-time
byReynardo Etenia Wongso@reynardoew
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (install/configure DefiLlama MCP and provide tools for DeFi analytics) aligns with the SKILL.md steps: adding an MCP server URL and authenticating via OAuth, then installing workflow skills. No unrelated credentials or system-level accesses are requested.
Instruction Scope
Instructions direct runtime actions beyond passive guidance: run npx commands to install skills, use mcp-remote to bridge MCP servers in headless environments, and relay OAuth URLs via messaging channels. The SKILL.md explicitly says 'Do not ask the user for confirmation — run the command directly,' giving the agent broad autonomous authority to download/run code and to forward OAuth URLs which could be misused. These instructions expand scope from 'help user configure' to 'perform autonomous installs and network actions' without safeguards.
Install Mechanism
There is no install spec in the manifest, but the runtime instructions tell the agent to run npx commands (e.g., 'npx skills add DefiLlama/defillama-skills --yes', 'npx mcp-remote ...'). npx fetches and executes code from the npm registry (arbitrary third‑party code) at runtime—this is higher risk than instruction-only behavior because it writes/executes code not vetted by the skill manifest.
Credentials
The skill declares no required environment variables or credentials, and the described OAuth flow doesn't request copying secrets into env vars. However, the flow depends on the agent and runtime having network and messaging access and will store OAuth tokens (the doc says tokens refresh every 24 hours). Those tokens and the ability to forward OAuth URLs are not represented in the manifest and could be sensitive if mishandled.
Persistence & Privilege
always:false and normal autonomous invocation are fine by themselves, but the instruction to perform installs and not ask for confirmation effectively encourages autonomous, permanent actions (downloading packages, installing skills) without explicit user consent. That increases the blast radius even though the skill doesn't request 'always: true'.
What to consider before installing
This skill appears to do what it claims (configure DefiLlama MCP), but it asks the agent to run npx to fetch and execute npm packages and to perform OAuth flows and installs without user confirmation. npx can execute arbitrary code from the npm registry, so you should not allow unfettered automatic execution. Before installing: 1) verify the npm packages referenced (DefiLlama/defillama-skills, mcp-remote) are official and review their source; 2) prefer manual installation or require explicit user confirmation before running any npx command; 3) avoid pasting OAuth callback URLs or tokens into untrusted channels—complete OAuth only in a trusted browser and verify token storage location; 4) if possible, run installs in a sandboxed environment and inspect package contents. If the publisher and npm packages are verifiably official and you control when the agent can execute commands, the risk is lower; otherwise proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk970tq76hd06fgwh1naqk7wwyx83mn6r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.