← 返回 Skills 市场
131
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install shenmeng-defi-yield
功能描述
DeFi 收益聚合器(Yield Aggregator)助手。帮助用户找到最佳收益策略、 分析各协议 APY、执行自动复投、追踪仓位收益。 当用户提到以下内容时激活: - "收益聚合"、"DeFi 收益"、"撸收益" - "Yearn Finance"、"Beefy Finance"、"Pendle"、"Gamm...
安全使用建议
This skill appears to do what it says (query DeFi APY sources and suggest strategies), but it also contains an undocumented billing integration that will attempt to check/charge users via an external service before running the main logic. Notable issues:
- scripts/skillpay.py contains a hardcoded API key (BILLING_API_KEY) in plaintext. That key is used to authenticate requests to https://skillpay.me and is a sensitive secret embedded in the skill.
- scripts/apy_checker.py and scripts/yield_optimizer.py perform a billing_check at import time (top-level). That means simply running or importing the scripts can trigger network calls and potential billing behavior, without any mention in SKILL.md.
- SKILL.md references a position_tracker.py, but that file is not included — inconsistency in the bundle.
Before installing or running this skill you should:
1) Ask the publisher to explain the billing model and why billing is not documented in SKILL.md. Do not assume billing is optional.
2) Request removal of the hardcoded API key and move to a clearly-documented opt-in configuration (and only after you verify the billing provider). Never run code that contains unknown embedded credentials in an environment with sensitive secrets.
3) If you want to test, run the code in an isolated sandbox (no access to production secrets or wallets) and monitor outbound network traffic.
4) Confirm the missing position_tracker.py is provided or update SKILL.md to accurately reflect available scripts.
If you are uncomfortable with undisclosed charging behavior or the embedded key, do not install or run this skill.
功能分析
Type: OpenClaw Skill
Name: shenmeng-defi-yield
Version: 1.3.0
The skill bundle includes a mandatory monetization and billing integration via 'scripts/skillpay.py', which is called by 'apy_checker.py' and 'yield_optimizer.py'. This script enforces a fee (0.001 USDT) by making external network calls to 'skillpay.me' and contains a hardcoded API key (sk_f03aa8f8...). While the code does not perform traditional data exfiltration or RCE, the inclusion of a third-party payment gate that tracks user IDs and requires external connectivity for basic functionality is a high-risk behavior and a potential privacy concern.
能力评估
Purpose & Capability
The scripts and SKILL.md largely match a DeFi yield-aggregator (queries Yearn/Beefy/Pendle/DeFi Llama and provides optimization). However, the code includes a separate billing integration (scripts/skillpay.py) that attempts to check/charge users before running logic. Billing is not documented in SKILL.md and is unrelated to the stated functionality, which is an unexpected monetization side-effect.
Instruction Scope
SKILL.md describes running apy_checker.py, yield_optimizer.py and a position tracker, but it does not disclose the billing flow. Both apy_checker.py and yield_optimizer.py import and immediately call billing_check at module import time (top-level), which can cause network calls and potential charges simply by running or importing the script. SKILL.md also references scripts/position_tracker.py, but no such file is present in the bundle (missing artifact).
Install Mechanism
No install spec or external downloads are used; this is an instruction-and-script bundle only. That limits disk-write/execution risk compared with arbitrary remote downloads. The code will run local Python scripts and make outbound HTTP requests to external APIs (expected for this purpose).
Credentials
The repository declares no required env vars, but the scripts use an environment variable SKILLPAY_USER_ID (optional) and — critically — include a hardcoded billing API key string (BILLING_API_KEY) inside scripts/skillpay.py. Embedding a live API key in code is a sensitive secret exposure and grants the code immediate ability to authenticate to an external billing endpoint. The hidden billing call before main logic is disproportionate and undocumented.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide config. It will run only when invoked. There is no installer that persists additional agents or system changes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shenmeng-defi-yield - 安装完成后,直接呼叫该 Skill 的名称或使用
/shenmeng-defi-yield触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
No changes detected in this release.
- Version number updated to 1.3.0.
- No modifications to code or documentation content.
v1.2.0
No changes detected in this version.
- No file changes found between versions.
- Functionality and documentation remain consistent with the previous release.
v1.1.0
- Added new script `scripts/skillpay.py` for expanded functionality.
- Updated `scripts/apy_checker.py` and `scripts/yield_optimizer.py` with improvements and/or additional features.
- Overall, this release adds new tools and enhances yield optimization and APY checking capabilities for DeFi yield aggregation.
v1.0.0
DeFi 收益聚合器助手首发版本:
- 支持主流协议(Yearn、Beefy、Pendle、Gamma)APY 查询与对比
- 提供自动复投、收益策略分析、风险评估建议
- 脚本可批量拉取 APY 并格式化输出,支持资产筛选
- 支持钱包仓位与收益追踪,定位未领取奖励
- 文档详解核心概念与典型场景,便于新手和进阶用户上手
元数据
常见问题
Defi Yield 是什么?
DeFi 收益聚合器(Yield Aggregator)助手。帮助用户找到最佳收益策略、 分析各协议 APY、执行自动复投、追踪仓位收益。 当用户提到以下内容时激活: - "收益聚合"、"DeFi 收益"、"撸收益" - "Yearn Finance"、"Beefy Finance"、"Pendle"、"Gamm... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 131 次。
如何安装 Defi Yield?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shenmeng-defi-yield」即可一键安装,无需额外配置。
Defi Yield 是免费的吗?
是的,Defi Yield 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Defi Yield 支持哪些平台?
Defi Yield 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Defi Yield?
由 shenmeng(@shenmeng)开发并维护,当前版本 v1.3.0。
推荐 Skills