← Back to Skills Marketplace
72
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install yield-offer-sanity-check
Description
A checklist skill that evaluates whether a yield, staking, or earn offer is reasonable or suspicious. Use when the user encounters a yield promotion. Prompt-...
Usage Guidance
The skill's markdown describes a prompt-only checklist, but the included handler.py reads a hard-coded absolute path (/Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md). This is inconsistent and risky: if the platform executes handler.handle with a crafted skill_name, the code could read local files (and path traversal via '..' segments may be possible). Before installing, ask the author why the skill needs to read a local SKILL.md and request that they remove filesystem access or sanitize and constrain paths. If you must test it, run the skill in a tightly sandboxed environment, inspect/modify handler.py to remove the file read, or demand the skill be truly prompt-only (no code). Also consider denying autonomous invocation or reviewing runtime logs for unexpected file reads. Do not install it into a production agent until the file-access behavior is explained or removed.
Capability Analysis
Type: OpenClaw Skill
Name: yield-offer-sanity-check
Version: 1.0.0
The skill contains a significant security flaw in handler.py, where it uses a hardcoded absolute path to a specific user's home directory (/Users/jianghaidong/.openclaw/skills/) and lacks sanitization for the skill_name parameter. This creates a potential path traversal vulnerability if the skill_name is user-controlled. While there is no evidence of intentional data exfiltration or malicious logic, the inclusion of environment-specific paths and insecure file access patterns is highly irregular for a portable skill bundle.
Capability Tags
Capability Assessment
Purpose & Capability
The SKILL.md describes a prompt-only checklist for yield offers and declares no required binaries, env vars, or config paths. However, the packaged handler.py attempts to load a SKILL.md from a hard-coded absolute path under /Users/jianghaidong/.openclaw/skills/{skill_name}. Reading local files is not justified by the stated prompt-only purpose and is disproportionate.
Instruction Scope
Runtime instructions (SKILL.md) do not instruct reading any filesystem path, but handler.py performs file I/O: opening an absolute path to a SKILL.md. This is scope creep: the code accesses local files not mentioned in the documentation and could be used to read arbitrary files via crafted skill_name (relative path segments).
Install Mechanism
There is no install specification (instruction-only), so nothing is downloaded or written during install. The risk comes from the included code being executed by the platform rather than from an installer or third-party download.
Credentials
The skill declares no required environment or credentials, yet the code reaches into a specific user's home path. This implicit dependence on a local config path is unexplained and disproportionate to the skill's purpose; it may expose local files if the platform executes handler.py with attacker-controlled arguments.
Persistence & Privilege
The skill does not request 'always' presence, does not declare elevated privileges, and does not modify other skills. The main privilege concern is the code's ability to read local files when invoked, not persistent installation privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yield-offer-sanity-check - After installation, invoke the skill by name or use
/yield-offer-sanity-check - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of yield-offer-sanity-check:
- Provides a checklist workflow to evaluate yield, staking, or earn offers for reasonableness or suspicion.
- Outputs an offer summary, a sanity check verdict, red flags, analysis of the offer, and recommended next steps.
- Uses evidence and math rather than vague skepticism to assess offers.
- Flags new protocols with no track record and highlights unknowns if information is missing.
- Requires only user-provided offer details; no on-chain data or integrations needed.
Metadata
Frequently Asked Questions
What is Yield Offer Sanity Check?
A checklist skill that evaluates whether a yield, staking, or earn offer is reasonable or suspicious. Use when the user encounters a yield promotion. Prompt-... It is an AI Agent Skill for Claude Code / OpenClaw, with 72 downloads so far.
How do I install Yield Offer Sanity Check?
Run "/install yield-offer-sanity-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yield Offer Sanity Check free?
Yes, Yield Offer Sanity Check is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Yield Offer Sanity Check support?
Yield Offer Sanity Check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yield Offer Sanity Check?
It is built and maintained by haidong (@harrylabsj); the current version is v1.0.0.
More Skills