Defi Yield

This skill appears to do what it says (query DeFi APY sources and suggest strategies), but it also contains an undocumented billing integration that will attempt to check/charge users via an external service before running the main logic. Notable issues: - scripts/skillpay.py contains a hardcoded API key (BILLING_API_KEY) in plaintext. That key is used to authenticate requests to https://skillpay.me and is a sensitive secret embedded in the skill. - scripts/apy_checker.py and scripts/yield_optimizer.py perform a billing_check at import time (top-level). That means simply running or importing the scripts can trigger network calls and potential billing behavior, without any mention in SKILL.md. - SKILL.md references a position_tracker.py, but that file is not included — inconsistency in the bundle. Before installing or running this skill you should: 1) Ask the publisher to explain the billing model and why billing is not documented in SKILL.md. Do not assume billing is optional. 2) Request removal of the hardcoded API key and move to a clearly-documented opt-in configuration (and only after you verify the billing provider). Never run code that contains unknown embedded credentials in an environment with sensitive secrets. 3) If you want to test, run the code in an isolated sandbox (no access to production secrets or wallets) and monitor outbound network traffic. 4) Confirm the missing position_tracker.py is provided or update SKILL.md to accurately reflect available scripts. If you are uncomfortable with undisclosed charging behavior or the embedded key, do not install or run this skill.