Is alannetwork/yieldvault-agent safe?

https://github.com/openclaw/skills/tree/main/skills/alannetwork/yieldvault-agent

83
SAFE

yieldvault-agent is a legitimate autonomous DeFi yield farming tool for BNB Chain. No prompt injection, credential theft, malicious install scripts, or canary violations were detected. The primary risks are operational: the scheduler executes irreversible blockchain transactions autonomously using a user-supplied private key, and all activity is forwarded to a Telegram bot whose ownership is not verifiable. The skill is explicitly marked not production-ready for mainnet use by its own documentation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

HIGH Autonomous mainnet transaction execution without per-action approval -20

scheduler.js runs a continuous decision cycle that signs and broadcasts DEPOSIT, WITHDRAW, HARVEST, COMPOUND, and REBALANCE transactions using the user's private key. No confirmation step exists between the agent's decision and on-chain execution. On mainnet BNB Chain (chainId:56), this is irreversible and financially consequential.

HIGH Telegram channel exfiltrates operational financial data to external endpoint -15

NotificationManager.sendTelegram() POSTs vault IDs, transaction hashes, gas used, block numbers, APR values, error messages with context objects, and cycle summaries to api.telegram.org. The destination bot is owned by whoever configured the token. An attacker embedding their own Telegram bot credentials in a pre-configured config file would silently receive all DeFi activity.

MEDIUM Private key exposure risk via error notification context -10

tx-executor.js holds WALLET_PRIVATE_KEY from environment at construction time (this.wallet = new ethers.Wallet(...)). Error objects thrown during transaction signing may carry wallet state. notifyError() blindly serialises the entire context parameter, which callers may populate with wallet-adjacent debug data.

MEDIUM Hardhat smart contract deployment scripts present -8

contracts/scripts/deploy.js and contracts/deploy.js can deploy the YieldVault contract to BNB testnet or mainnet when executed. contracts/package.json includes npm run deploy:testnet and deploy:mainnet scripts. An agent instructed to 'set up the contracts' could execute a live deployment.

MEDIUM Skill not production-audited but references mainnet configuration -20

config.mainnet.json is present in the skill directory alongside config.deployed.json. FINAL_CHECKLIST.md explicitly lists Smart Contract Audit as REQUIRED FOR MAINNET and marks it uncompleted. A user following the quickstart on mainnet would deploy unaudited contracts and run an unapproved autonomous spending agent.

LOW Telegram bot ownership and trust not verifiable -13

The notifications subsystem requires a Telegram bot token and chat ID. The skill documentation does not instruct users to create their own bot — users following examples may use a preconfigured token from a demo config, forwarding their DeFi activity to an unknown operator.

LOW Notification log persists financial history to disk -3

notifications.js.logNotification() appends every alert to notifications.log.json, retaining up to 2000 entries. This file accumulates vault IDs, transaction hashes, APR values, and error messages in the skill's working directory indefinitely.

INFO Installation proceeded cleanly via sparse git checkout 0

The openclaw install mechanism cloned the monorepo with depth=1, performed a sparse checkout of the skill subpath, copied files to the working directory, and cleaned up. No unexpected processes or filesystem mutations outside the target directory were observed.