ClawHub

Gekko Yield

Earn yield on USDC by supplying to the Moonwell Flagship USDC vault on Base. Use when depositing USDC, withdrawing from the vault, checking position/APY, or generating yield reports.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.4k · 0 current installs · 0 all-time installs
by@gekkoai001
duplicate of @Sergey1997/gekko-yield
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (deposit/withdraw/compound USDC into Moonwell vault) match the included TypeScript scripts. Required binary (node) is appropriate. However the registry metadata lists no required environment variables while the SKILL.md and scripts expect a PRIVATE_KEY environment variable — an incoherence between declared requirements and actual runtime needs.
Instruction Scope
Runtime instructions are focused on wallet setup, deposit/withdraw/compound/report operations and reference only expected files/paths (e.g., ~/.config/gekko-yield/config.json). The SKILL.md says private keys are loaded from env and never logged/written; most visible code (approve/deposit/compound/report) does not log private keys and writes only transaction logs to ~/.config/gekko-yield/logs. However the setup script file was not fully inspected in the provided truncated output — you should verify setup.ts does not persist the private key to disk or transmit it.
Install Mechanism
No download/install from arbitrary URLs; code is included and uses standard node tooling (pnpm/npm, viem, tsx). package.json and lockfile reference known packages. This is a low-risk install vector relative to arbitrary remote installs.
!
Credentials
The skill requires access to a wallet private key at runtime (SKILL.md instructs PRIVATE_KEY env var) but the registry metadata didn't declare any required env vars / primary credential. Requesting a private key is proportionate to the stated purpose, but the omission in declared requirements is an incoherence that could lead to users not realizing they must supply a secret. Also verify that the setup script and config writer only store the envVar name (not the secret) as SKILL.md claims.
Persistence & Privilege
always:false (normal). The scripts create and write configuration and logs under ~/.config/gekko-yield which is appropriate for this type of tool. There is no evidence the skill modifies other skills or system-wide settings. The agent-autonomous invocation default is allowed but not set to always:true.
What to consider before installing
This skill appears to implement the advertised vault operations, but take these precautions before installing or funding it: - Confirm PRIVATE_KEY handling: inspect scripts/setup.ts and loadConfig() to ensure the private key is only read from the environment (PRIVATE_KEY) and never written to disk or transmitted to a remote server. The registry metadata should also list the required env var — the omission is an inconsistency. - Use a dedicated hot wallet with minimal funds. Do not use your main/CEX wallet private key. - Review setup.ts locally before running. If you cannot read the file, run the code in an isolated VM/container and monitor network traffic. - Verify contract addresses (vault, USDC, Odos router, reward tokens) on Base's block explorers and official Moonwell docs before sending funds. - Check that transaction logs written to ~/.config/gekko-yield/logs don't contain secret data and that config.json only stores the envVar name and RPC preferences. - If you plan to let an AI agent invoke this skill autonomously, be aware the agent could initiate transactions with the provided private key. Consider disabling autonomous use or restricting the agent's ability to send transaction-confirming inputs. If you want, I can (1) scan the remaining truncated files (setup.ts and any omitted files) for private-key persistence or exfiltration patterns, or (2) list the exact lines where PRIVATE_KEY is referenced so you can inspect them yourself.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976bvbsp4meyfy58drtrpfwa180dppj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦎 Clawdis
Binsnode

SKILL.md

Gekko Yield — Earn safe yield on USDC

Earn yield on USDC via the Moonwell Flagship USDC vault on Base.

Vault: 0xc1256Ae5FF1cf2719D4937adb3bbCCab2E00A2Ca
Chain: Base (8453)
Asset: USDC (0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913)

Why This Vault?

The Moonwell Flagship USDC vault is one of the safest places to earn yield on Base:

  • Powers Coinbase — Provides $20M+ liquidity to Coinbase's BTC/ETH borrow products
  • Blue-chip collateral only — Loans backed by ETH, cbETH, wstETH, cbBTC
  • Conservative LTV ratios — Healthy collateral requirements
  • Isolated markets — Risk is compartmentalized
  • Battle-tested — Morpho's codebase is <650 lines, immutable, extensively audited
  • Multi-layer governance — Moonwell DAO + Block Analitica/B.Protocol curators

Current APY (~4-6%)

ComponentAPYSource
Base yield~4-5%Borrower interest
Rewards~0.5-1%WELL + MORPHO via Merkl
Total~4.5-6%Sustainable, from real demand

Yields come from real borrowing demand, not unsustainable emissions.

Quick Start

cd gekko-yield/scripts
pnpm install  # or npm install
npx tsx setup.ts

The setup wizard will:

  1. Guide you to set your private key as environment variable
  2. Save configuration to ~/.config/gekko-yield/config.json

Commands

Interactive Setup

npx tsx setup.ts

Guides you through wallet configuration.

Check Position & APY

npx tsx status.ts

Returns: current deposit, vault shares, APY, wallet balances, estimated earnings.

Generate Report

# Telegram/Discord format (default)
npx tsx report.ts

# JSON format (for automation)
npx tsx report.ts --json

# Plain text
npx tsx report.ts --plain

Deposit USDC

npx tsx deposit.ts <amount>
# Example: deposit 100 USDC
npx tsx deposit.ts 100

Deposits USDC into the Moonwell vault. Handles approval automatically.

Withdraw

# Withdraw specific amount of USDC
npx tsx withdraw.ts <amount>

# Withdraw all (redeem all shares)
npx tsx withdraw.ts all

Auto-Compound

npx tsx compound.ts

All-in-one command that:

  1. Checks wallet for reward tokens (WELL, MORPHO)
  2. Swaps them to USDC via Odos aggregator
  3. Deposits the USDC back into the vault

Configuration

Config location: ~/.config/gekko-yield/config.json

{
  "wallet": {
    "source": "env",
    "envVar": "PRIVATE_KEY"
  },
  "rpc": "https://mainnet.base.org"
}

Security

⚠️ This skill manages real funds. Review carefully:

  • Private keys loaded at runtime from environment variable
  • Keys never logged or written to disk by scripts
  • All transactions simulated before execution
  • Contract addresses verified on each run
  • Scripts show transaction preview before sending

Recommended Setup

  1. Dedicated wallet — Create a hot wallet just for this skill
  2. Limited funds — Only deposit what you're comfortable having in a hot wallet
  3. Keep gas funded — Maintain small ETH balance on Base for transactions

Error Handling

ErrorCauseFix
Insufficient USDCNot enough USDC in walletBridge/transfer more USDC to Base
Insufficient gasNot enough ETH for txAdd ETH to wallet on Base
Wallet not configuredMissing configRun npx tsx setup.ts
PRIVATE_KEY not setMissing env varSet $env:PRIVATE_KEY="your-key"

Dependencies

Scripts require Node.js 18+. Install deps before first run:

cd scripts && pnpm install

Packages used:

  • viem — Ethereum interaction
  • tsx — TypeScript execution

Built by Gekko AI. Powered by ERC-8004.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…