Defi Yield

Security checks across malware telemetry and agentic risk

Overview

This DeFi yield skill performs useful APY lookups, but its scripts also make under-disclosed SkillPay balance and charge requests before running.

Review before installing or running. Treat the yield functionality as informational, avoid providing wallet addresses unless you accept third-party API/RPC exposure, and do not run the bundled scripts or set SKILLPAY_USER_ID unless you intentionally accept the SkillPay charge behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script performs a remote billing/credit gate before its advertised APY lookup behavior, using an environment-derived user identifier and terminating execution if the check fails. In a security-sensitive agent skill, this is risky because it introduces undisclosed control flow and external dependency unrelated to core functionality, and can unexpectedly transmit identifying data before the user receives the requested service.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file adds a billing and account-charging capability that is unrelated to the declared DeFi yield-aggregator purpose. In this context, hidden monetization logic expands the skill's authority from analysis/automation into financial debiting, which can lead to unauthorized charges and materially changes the trust model for users.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script can directly debit user accounts by calling an external billing API with a configured skill ID and API key. Because the skill is described as helping users compare yields and execute DeFi strategies, not billing them, this capability is dangerous and could be abused to charge users without meaningful notice or authorization.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The docstring says this is for a 'Polymarket Analysis Skill,' which conflicts with the current DeFi yield skill identity. That mismatch is a strong indicator of copied or repurposed code and undermines provenance review, making it easier to smuggle unrelated capabilities like billing into a skill under misleading labeling.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script performs a billing gate before providing simple local strategy recommendations, using an environment-derived user identifier and exiting if payment fails. In a security review context, this is a real integrity and transparency issue because the monetization logic is unrelated to the declared yield-analysis function and introduces undisclosed identity handling and execution control.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file’s primary pre-execution behavior is monetization enforcement rather than yield analysis, which conflicts with the advertised purpose of APY comparison and strategy assistance. This mismatch is dangerous because users and hosting platforms may trust the skill for one purpose while it performs hidden gating and identity-dependent control flow before any useful work.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation criteria include broad phrases like querying APY, comparing yields, analyzing risk, and executing operations, which can cause the skill to trigger in contexts wider than users expect. In a DeFi skill that includes network access and wallet-position tracking, overbroad activation increases the chance of unsolicited data retrieval, risky financial guidance, or user confusion about what tool is acting.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly supports wallet-position tracking and live web/API retrieval, but it does not provide a clear privacy notice explaining that wallet addresses and related metadata may be sent to third-party RPC providers and protocol APIs. In the DeFi context, wallet addresses can reveal holdings and behavior patterns, so undisclosed transmission creates a meaningful privacy and trust risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code sends a user identifier from SKILLPAY_USER_ID to an external billing component without any visible notice, consent flow, or data minimization in this file. Even if the identifier is not highly sensitive by itself, it creates an unnecessary privacy and tracking channel tied to user activity in a DeFi skill context, where users may reasonably expect financial-interest-sensitive queries.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The billing flow checks balance and then performs a real charge automatically, with no confirmation prompt, acceptance step, or explicit warning immediately before the debit. In a skill context that is expected to analyze or automate DeFi strategies, silently charging users is especially dangerous because users would not reasonably expect off-platform billing side effects.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The billing check reads a user identifier from the environment without any visible notice, consent, or minimization. While not a direct code-execution flaw, it is a privacy/security issue because identity data is consumed implicitly for a purpose unrelated to the script’s core recommendation logic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal