ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yield Farm Payment

v1.0.8

Pay any seller at ZERO net cost. Our high-efficiency logic on Base L2 offsets network fees by pairing payments with low-risk, stablecoin-based yield investme...

0· 59·1 current·1 all-time
by@altoninelli

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for altoninelli/yield-farm-payment.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Yield Farm Payment" (altoninelli/yield-farm-payment) from ClawHub.
Skill page: https://clawhub.ai/altoninelli/yield-farm-payment
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install yield-farm-payment

ClawHub CLI

Package manager switcher

npx clawhub@latest install yield-farm-payment
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (pay on Base and deposit collateral on Aave) justifies needing a wallet private key and an RPC URL. However the registry metadata shown at the top lists no required env vars/credentials while SKILL.md, package.json, and manifest.json clearly require PRIVATE_KEY and BASE_RPC_URL — this metadata mismatch is an incoherence that reduces trust. Additionally manifest.json lists an entrypoint 'scripts/yield-farm-payment.js' that doesn't exist (the actual main file is yield-farm-payment-corrected.js in package.json), which is another inconsistency.
!
Instruction Scope
SKILL.md explicitly instructs the user to store a raw PRIVATE_KEY in .env and to run CLI scripts that will perform on-chain writes. That is coherent with the skill's payment function, but it is high privilege: anywhere the code uses the PRIVATE_KEY it has full control of the wallet. The instructions do not try to exfiltrate the key to external servers in the visible files, but you must inspect the core runtime file (yield-farm-payment-corrected.js) before running. The skill also creates a test-wallet.js helper file dynamically in scripts/check-configuration.js; writing files is allowed but should be reviewed.
Install Mechanism
There is no remote install/download step — dependencies are standard npm packages (viem, dotenv). No external or obfuscated install URLs are used. The skill is delivered as source files, so reviewable locally before execution.
Credentials
REQUESTED CREDENTIALS: PRIVATE_KEY and BASE_RPC_URL are sensitive but proportionate for a tool that must sign transactions on the user's behalf. The skill appropriately warns to use a dedicated low-balance wallet. That said, the registry-level metadata provided to the platform (which claimed 'none' for required env vars) contradicts the package/SKILL.md; that mismatch should be resolved before trusting platform-level permissions. Several optional Aave/ERC20 addresses are also recommended, which is expected.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. Model invocation is allowed (platform default) — note that an autonomously-invokable skill that has access to a raw PRIVATE_KEY would have a higher blast radius if misused; this skill does not set always:true, but you should be cautious about allowing autonomous calls with any private key configured.
What to consider before installing
This skill appears to implement the DeFi payment flow it describes, but there are several red flags you should address before installing or running it: 1) Do not use your main wallet — create a dedicated wallet with minimal funds and only the tokens needed for testing. 2) The skill requires a RAW PRIVATE_KEY in .env; inspect the entire codebase (especially scripts/yield-farm-payment-corrected.js) to confirm the key is only used locally for signing and is not transmitted to any external endpoint. 3) Resolve manifest/metadata inconsistencies (registry metadata said no env vars; manifest.json references a non-existent main entrypoint). These mismatches could be innocent mistakes but reduce trust. 4) Run everything in a controlled environment first (Base Sepolia testnet) and review network calls (grep for http/https/fetch/axios/request) to ensure there are no hidden remote endpoints. 5) If you lack the ability to audit JavaScript yourself, ask a developer/security reviewer to audit the main payment file for key exfiltration or unexpected behavior before providing any private key. If you proceed, start with the smallest amounts and monitor all transactions on basescan.org.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌾 Clawdis
latestvk970a0082nnt9ndkhanvm0zajh85qf27
59downloads
0stars
9versions
Updated 2h ago
v1.0.8
MIT-0
@altoninelli
latest
Download

YieldFarmPayment Skill v1.0.8

Important Security Notice

This skill requires the user to provide a raw PRIVATE_KEY in the .env file.
This grants full control of the wallet to the skill.

Strongly recommended:

  • Use a dedicated wallet created only for this skill
  • Fund it with only the necessary amount + small buffer for gas
  • Never use your main wallet or a wallet containing significant funds

Environment variables required:

  • PRIVATE_KEY: Private key of dedicated wallet
  • BASE_RPC_URL: Base Mainnet RPC URL

DeFi Immediate Payment System with Capital Recovery via Aave V3

Pay recipients immediately on Base network, then recover your capital over time through Aave V3 yield farming.

⚠️ v1.0.8 — Upfront Mode Only

v1.0 supports only Upfront Mode (immediate payment to recipient). Standard Mode (yield streaming) and Smart Mode (deadline optimization) are planned for v2.0 with x402 protocol integration.

🎯 Features

  • Upfront Mode: Immediate USDC payment to recipient + capital recovery via yield
  • Flexible Collateral: 3x to 20x multiplier with configurable buffer (default: 20x)
  • Aave V3 Integration: Deposit collateral to earn yield on Base network
  • Robust Transaction Handling: Automatic retry, gas optimization, error recovery
  • Professional CLI: Full-featured command line interface

💰 How It Works (Upfront Mode)

Payment Flow:

  1. Calculate total collateral: payment × multiplier × (1 + buffer%)
  2. Transfer payment immediately to recipient (seller gets paid NOW)
  3. Deposit remaining collateral in Aave V3
  4. Yield accumulates on deposited collateral
  5. Buyer recovers the payment amount over time via yield

Recovery Time Calculation:

The amount to recover is the PAYMENT (sent to seller), NOT the total collateral.

Recovery Time = Payment Amount / Annual Yield from Aave Deposit

Example: 0.1 USDC payment, 20x collateral, 8% buffer, 3% APY

Total Locked:      0.1 × 20 × 1.08 = 2.16 USDC
Immediate Payment: 0.1 USDC → sent to recipient
Aave Deposit:      2.16 - 0.1 = 2.06 USDC
Annual Yield:      2.06 × 3% = 0.0618 USDC/year
Amount to Recover: 0.1 USDC (the payment, NOT the collateral)
Recovery Time:     0.1 / 0.0618 ≈ 592 days (~1.6 years)

Why Higher Collateral = Faster Recovery:

MultiplierAave DepositAnnual YieldRecovery Time
0.224 USDC0.0067 USDC~15 years
0.440 USDC0.0132 USDC~7.5 years
10×0.980 USDC0.0294 USDC~3.4 years
20×2.060 USDC0.0618 USDC~1.6 years

More collateral deposited in Aave → more yield generated → faster recovery of the payment amount.

🚀 Quick Start

Prerequisites

  • Node.js 18+
  • Base network wallet with ETH for gas
  • USDC tokens for collateral

Installation

cd your-project
npm install viem dotenv

Configuration

  1. Copy .env.example to .env
  2. Set your PRIVATE_KEY and BASE_RPC_URL
  3. Verify contract addresses for Base network

Usage

# Check configuration
node scripts/check-configuration.js

# Safe simulation testing (no transactions)
node scripts/test-realistic-payment.js

# Upfront payment with default 20x collateral
node scripts/cli.js --amount 0.1 --recipient 0x... --buffer 8

# Custom collateral multiplier
node scripts/cli.js --mode upfront --amount 0.5 --recipient 0x... --collateral 10 --buffer 5

📁 Project Structure

yield-farm-payment/
├── SKILL.md                    # This documentation
├── .env.example                # Configuration template
├── package.json                # Dependencies
├── scripts/
│   ├── cli.js                  # CLI interface (upfront mode only in v1.0)
│   ├── yield-farm-payment-corrected.js  # Core payment logic (active)
│   ├── transaction-manager.js  # Robust transaction handling
│   ├── collateral-calculator.js # Collateral optimization
│   ├── check-configuration.js  # Config validation
│   └── test-realistic-payment.js # Comprehensive tests
└── references/
    ├── aave-addresses.md       # Aave contract addresses (v1.0)
    └── v2.0-planned/           # Planned features for future release
        ├── 10x-collateral-guide.md
        ├── flexible-collateral-guide.md
        └── x402-integration.md

🔧 Configuration

Environment Variables (.env)

# Required
PRIVATE_KEY=0x...              # Your wallet private key
BASE_RPC_URL=https://...       # Base network RPC

# Aave V3 Contracts (Base)
AAVE_V3_POOL_ADDRESS=0x794a61358D6845594F94dc1DB02A252b5b4814aD
USDC_ADDRESS=0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
AAVE_USDC_TOKEN_ADDRESS=0x4e65fE4DbA92790696d040ac24Aa414708F5c0AB

# Settings
SKILL_FEE_USDC=0.20            # Fee per skill call
DEFAULT_COLLATERAL_MULTIPLIER=20  # 20x default for ~1.6 year recovery
DEFAULT_BUFFER_PERCENTAGE=8
ESTIMATED_APY=0.03             # 3% conservative APY estimate

🔒 Security & Safety

Built-in Protections

  • Balance Verification: Pre-transaction checks
  • Gas Limit Monitoring: Prevents excessive fees
  • Transaction Retry: 3 attempts with gas price escalation
  • Nonce Management: Handles concurrent transactions

Risk Management

  • Collateral Buffer: 5-15% safety margin
  • APY Estimation: Conservative 3% default
  • Multiplier Limits: 3x minimum, 20x maximum

🚨 Error Handling

Common Errors & Solutions

  • "replacement transaction underpriced": Automatic retry with increased gas
  • "insufficient funds": Balance verification before transaction
  • "nonce too low": Automatic nonce management
  • Contract errors: Detailed logging and fallback

📈 Roadmap

v2.0 Planned Features

  • Standard Mode: Yield streaming via x402 protocol
  • Smart Mode: Deadline optimization
  • x402 Integration: Trustless automatic yield distribution to sellers
  • Multi-token Support: USDT, wETH, etc.

📄 License

MIT License

🙏 Acknowledgments

  • Aave Protocol for yield farming infrastructure
  • Base Network for low-cost L2 execution
  • OpenClaw Community for skill development framework

YieldFarmPayment v1.0 — Immediate payments with capital recovery on Base network. 🚀

Comments

Loading comments...