ClawHub

Morpho Earn - earn safe yield on your USDC on Base

v1.2.0

Earn yield on USDC by supplying to the Moonwell Flagship USDC vault on Morpho (Base). Use when depositing USDC, withdrawing from the vault, checking position/APY, or setting up wallet credentials for DeFi yield.

1· 1.8k·3 current·3 all-time
by@lyoungblood
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and instructions align with the stated purpose: it reads wallet balances, claims Merkl-distributed rewards, swaps them via Odos, and deposits into the Moonwell/Morpho vault on Base. There's no request for unrelated cloud credentials or services. Minor mismatch: SKILL metadata only lists 'node' as a required binary, yet the README and setup mention optional 1Password integration (which requires the 'op' CLI) and environment-variable wallet sources.
!
Instruction Scope
Runtime instructions and scripts will load private keys (from a file, env var, or 1Password), write config/preferences to ~/.config/morpho-yield/, and optionally append a HEARTBEAT.md entry under ~/clawd/HEARTBEAT.md. The scripts call external HTTP APIs (Merkl, Odos, CoinGecko, and an RPC) and will assemble and submit transactions returned or suggested by those services. Executing transactions created or assembled by remote services (Odos 'assemble' endpoint) means a compromised remote service or manipulated response could cause undesired on-chain transactions — this is expected behavior for an auto‑compound script but is a noteworthy operational risk.
Install Mechanism
There is no remote installer that downloads arbitrary binaries from unknown hosts. The project is Node/TypeScript based and uses npm packages (viem, tsx etc.) from the public registry — typical for this kind of project. No unusual download URLs or extract/install steps were observed in the provided files.
Credentials
The skill does not declare required env vars in registry metadata, which is reasonable because wallet configuration is optional/interactive. However the scripts support reading a private key from an environment variable (e.g. MORPHO_PRIVATE_KEY) and 1Password integration (requires 'op' CLI) — these are not declared as required. The requested secrets (private key) are proportional to the stated functionality, but they are highly sensitive and the user must supply them. Ensure you only use a dedicated hot wallet with limited funds.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It writes its own config (~/.config/morpho-yield/) and can optionally modify ~/clawd/HEARTBEAT.md; that is reasonable for the stated monitoring integration. Important: if you enable autoCompound and allow the agent to invoke skills autonomously, the agent will be able to sign and submit transactions from the configured wallet (autonomous execution combined with wallet access increases blast radius).
What to consider before installing
This skill appears to implement the described Morpho/Moonwell automation, but it operates on real funds and relies on external services to construct and sign transactions. Before installing: - Review the code (especially scripts/config.ts, simulateAndWrite/verifyContracts, and the Odos assemble usage) to ensure they do exactly what you expect. - Use a dedicated hot wallet with only a small amount of USDC/ETH for testing — never your main wallet. - Test read-only commands first (status.ts, report.ts) before running any claim/compound operations. - If you plan to use 1Password integration, ensure the 'op' CLI is available (the skill doesn’t declare it). - Understand that the Odos assemble/quote endpoints return transaction payloads your wallet will sign — if Odos or the network between you and Odos is compromised it could return malicious tx data. Consider replacing or verifying aggregator responses locally where possible. - Verify the RPC endpoints (default is moonwell's RPC) and prefer your own trusted RPC provider. - If you want lower risk, disable autoCompound and require manual approval for claim/swap/deposit actions. If you want, I can: (1) point to the exact lines/functions to audit (simulateAndWrite, assembleOdosTransaction, verifyContracts), (2) summarize where private keys are read and stored, or (3) produce a short checklist to harden usage (file perms, environment variables, manual approval).

Like a lobster shell, security has layers — review code before you run it.

latestvk979t5sqqsq8kd87n6mqbaawv180cfnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌜🌛 Clawdis
Binsnode

Comments