Crypto Defi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install or invoke this expecting a calculator, then provide portfolio or position details that are instead stored as local logs.
The same artifact advertises DeFi yield calculations but describes a logging/export tool. The visible script also appends inputs to log files rather than implementing APY, impermanent-loss, or staking-reward calculations.
description: "Calculate DeFi yields including APY, impermanent loss, and staking rewards." ... "recording and reviewing crypto-related observations with timestamped logs and multi-format data export."
Treat this as a local crypto notes/logging tool, not a yield calculator, unless the maintainer adds actual calculation functionality and updates the description to match.
Portfolio balances, wallet observations, or trading notes entered into the tool may remain on disk and be visible to anyone or any process with access to those files.
The skill intentionally persists user-entered crypto and portfolio information in plaintext files that can be searched or exported later.
All data is stored locally in plain-text log files: ... Location: `~/.local/share/crypto-defi/` ... History: All operations are additionally logged to `history.log`
Do not store seed phrases, private keys, exact holdings, or other highly sensitive financial information. Review and delete files under ~/.local/share/crypto-defi if needed.
Users may need to manually inspect or install the script, and the registry metadata may not fully describe the local command behavior.
The skill nevertheless includes a Bash script and documents a crypto-defi command, so the metadata does not clearly explain how the command is installed or wired into the environment.
No install spec — this is an instruction-only skill.
Verify the script source and installation path before enabling it; maintainers should add an install spec or adjust metadata to match the packaged command.