ClawHub

Gekko Yield

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed real-funds DeFi skill, but its auto-compound command has enough fund-movement and transaction-validation risk that users should review it carefully before installing.

Install only if you understand this is a hot-wallet tool that can approve tokens and submit live Base transactions. Use a dedicated wallet with limited USDC, WELL, MORPHO, and ETH; do not keep idle USDC in the wallet before running compound unless you intend all available USDC to be deposited; and review Odos-based compounding as a third-party assembled transaction before letting an agent run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents capabilities that require environment-variable access and network interaction, but it does not declare corresponding permissions. In a fund-managing DeFi skill, hidden or undeclared capabilities reduce transparency and make it harder for users or platforms to assess the real trust boundary, especially since the skill handles private-key configuration and on-chain transactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior expands beyond simple vault deposit/withdraw/reporting into token sales via Odos, external price fetching, and local persistence. That mismatch is dangerous because users may authorize or run the skill expecting only USDC vault interactions, while the skill can perform additional fund-affecting operations involving third-party services and other assets.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Omitting the auto-compound swap behavior from the manifest description hides a materially different financial action: selling reward tokens through a third-party aggregator before redepositing. In a real-funds context, incomplete disclosure can lead users to underestimate execution, routing, slippage, counterparty, and approval risks.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as a USDC vault interaction tool, but this script adds autonomous reward-token swapping through Odos before depositing into the vault. That materially expands the trust boundary from vault-only actions to arbitrary external routing logic, creating unexpected asset movement risk and a mismatch between declared and actual capabilities.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script obtains a quote and then assembled calldata from an external Odos API, then sends that transaction data on-chain with only minimal structural checks. Because the transaction destination and calldata are trusted from an off-chain service, a compromised API or unexpected response could direct token approvals and swaps in unsafe ways or route funds through unintended contracts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code approves and spends WELL and MORPHO balances even though the skill context is framed around handling USDC vault deposits and withdrawals. This broadens asset custody and creates risk that non-USDC balances held by the wallet are unexpectedly liquidated or exposed to router misuse.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The JSON output asserts that auto-compound swaps WELL/MORPHO via Odos and redeposits to the vault, but this file only generates a report. Misrepresenting performed actions is dangerous because downstream agents or users may rely on the report to believe sensitive financial operations occurred, potentially leading to bad decisions, missed risk checks, or unsafe automation chaining.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not prominently warn that auto-compound performs third-party token swaps and submits live transactions affecting user funds. In this DeFi context, insufficient warning is risky because users may treat compounding as a passive reporting action rather than an active trade and reinvest flow with market and routing risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup script explicitly instructs the user to place a wallet private key in the PRIVATE_KEY environment variable and only validates formatting, without meaningfully warning about exposure through shell history, process inspection, inherited environments, crash logs, or persistent user-level environment storage. In a crypto wallet skill, this is especially sensitive because compromise of that key enables immediate unauthorized transfer of funds from the user's wallet.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal