Gekko Yield
WarnAudited by ClawScan on May 18, 2026.
Overview
Gekko Yield is a coherent DeFi skill, but it can sign real blockchain transactions with a hot private key and its auto-compound flow can move more USDC than a user may expect.
Use only a dedicated limited-balance wallet. Avoid running auto-compound if the wallet contains USDC you do not want deposited. Treat every deposit, withdraw, approval, swap, and compound command as a real transaction, and verify the route, contract addresses, amounts, and slippage before signing.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running auto-compound can cause the wallet to sign an externally assembled swap transaction involving real assets.
The compound flow sends transaction data assembled by the external Odos API without local simulation or destination/value validation in the shown code, even though the skill advertises transaction simulation.
simulate: false ... walletClient.sendTransaction({ to: assembled.transaction.to as Address, data: assembled.transaction.data as Hex, value: BigInt(assembled.transaction.value) })Before using compound, verify the Odos route, destination contract, value, and slippage; the skill should locally simulate the transaction and require explicit user confirmation.
If the wallet contains idle USDC that the user did not intend to deposit, running auto-compound can deposit it into the vault.
After swapping rewards, the script deposits the full USDC balance in the wallet, not just the USDC received from reward swaps.
const usdcBalance = await getTokenBalance(publicClient, USDC_ADDRESS, account.address); ... args: [usdcBalance, account.address]
Use a dedicated wallet or empty unintended USDC before running compound; the skill should track swap proceeds, let the user set an amount cap, and require confirmation.
A mistaken or autonomous invocation can move funds as soon as the command is run.
The deposit script prints a preview and then proceeds to approval and deposit execution; the provided code does not show an interactive confirmation step before sending transactions.
console.log('📋 Transaction Preview'); ... approveAndVerify(... depositAmount ...); ... simulateAndWrite(... functionName: 'deposit' ...)Require an explicit confirmation prompt or platform approval before any approve, deposit, withdraw, swap, or compound transaction.
Any bug, misuse, or compromised environment could affect all funds controlled by that private key.
The skill uses a raw wallet private key from the environment to sign transactions. This is expected for the stated DeFi purpose, but it is high-impact authority.
"envVar": "PRIVATE_KEY" ... "This skill manages real funds"
Use a dedicated hot wallet with limited funds and ensure the registry metadata clearly declares the PRIVATE_KEY requirement.
Users rely on the included package files and npm ecosystem dependencies before running fund-moving code.
The skill requires installing Node packages and executing TypeScript scripts. That is purpose-aligned, but there is no registry install spec and the source/homepage are unknown.
pnpm install # or npm install ... npx tsx setup.ts
Review the package files, prefer the provided lockfile, and install in a dedicated environment before connecting a funded wallet.
Local logs can reveal wallet activity and may influence generated reports.
The skill persists transaction history locally for reports and audit trails.
const logDir = expandPath('~/.config/gekko-yield/logs'); ... appendFileSync(logPath, JSON.stringify(entry) + '\n');Protect or periodically review the ~/.config/gekko-yield directory, especially on shared machines.
A third-party API can observe wallet and intended swap details, although this is aligned with the swap function.
The compound flow sends wallet address and token amount information to the Odos API to obtain swap routes.
rateLimitedFetch('https://api.odos.xyz/sor/quote/v2', ... userAddr: userAddress, inputTokens: [{ tokenAddress: tokenIn, amount: amountIn.toString() }])Use the feature only if comfortable sharing public wallet/swap metadata with Odos, and verify routes before signing.
Users may underestimate the risk of depositing funds into an on-chain vault.
The documentation uses strong safety language for a DeFi product that still carries smart-contract, market, liquidity, and key-management risk.
Earn safe yield on USDC ... one of the safest places to earn yield on Base
Independently verify the vault, understand DeFi risks, and only deposit funds you can afford to risk.