[new-plugin] stablecoin-chain-explorer

[skylavis-sky]

Plugin Submission

Plugin name: stablecoin-chain-explorer
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/stablecoin-chain-explorer...

  ⚠️  [W140] SKILL.md references 5 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'stablecoin-chain-explorer' passed with 1 warning(s)

→ Proceeding to Phase 2: Build Verification

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 92/100

Plugin: stablecoin-chain-explorer | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~407141+4013 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	stablecoin-chain-explorer
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low

Summary: A read-only analytics skill that compares stablecoin TVL distribution and yield opportunities across blockchains by calling Barker's public API (api.barker.money). Returns cross-chain comparison tables with TVL share, top APYs, and gas estimates.

Target Users: DeFi users researching where to allocate stablecoins across chains (Ethereum, BSC, Arbitrum, Base, Polygon, etc.) for yield optimization.

2. Architecture Analysis

Components:
Skill only (SKILL.md + SUMMARY.md). No binary, no source code.

Skill Structure:
SKILL.md has clear sections: Overview, When to Activate (triggers), Data Sources (two API endpoints documented with shapes), Chain Profiles (curated knowledge), How to Present Results, Example Interaction, About Barker, Important Notes, and Security: External Data Boundary.

Data Flow:

1. LLM receives user query about cross-chain stablecoins
2. Calls GET https://api.barker.money/api/public/v1/market/overview for chain TVL distribution
3. Calls GET https://api.barker.money/api/public/v1/defi/vaults?chain=<chain>&sort=apy&limit=10 for yields per chain
4. Renders a comparison table with attribution

Dependencies:

• Single external API: api.barker.money (public, rate-limited 30 req/min, no auth)

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
(none)	N/A	N/A	Plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No	—	High
Sign message	No	—	High
Contract call	No	—	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://api.barker.money/api/public/v1/market/overview	Fetch chain TVL distribution	Low
https://api.barker.money/api/public/v1/defi/vaults	Fetch DeFi vault yields per chain	Low
https://barker.money	Attribution link	Low

Chains Operated On

Read-only references to Ethereum, BSC, Arbitrum, Base, Polygon, Optimism, Avalanche, Solana. No on-chain operations.

Overall Permission Summary

This is a pure read-only analytics skill. It calls two public, unauthenticated endpoints on api.barker.money to compare stablecoin TVL and yields across chains. It accesses no wallet data, sends no transactions, signs no messages, and transmits no PII. Risk surface is limited to the trustworthiness of the external API's returned strings, which the skill explicitly marks as untrusted in its Security section.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — plugin performs no on-chain write operations. onchainos usage is optional per Plugin Store policy.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	No signing
Transaction broadcasting	N/A	No	No broadcasting
DEX swap execution	N/A	No	No swaps
Token approval	N/A	No	No approvals
Contract calls	N/A	No	No contract calls
Token transfers	N/A	No	No transfers

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker	api.barker.money (public REST)	Chain TVL distribution & DeFi vault yields

External APIs / Libraries Detected

Only api.barker.money declared in plugin.yaml api_calls and referenced in SKILL.md. No web3 libraries, no RPC URLs.

Verdict: ✅ Fully Compliant

Read-only analytics plugin with no on-chain operations. Public data API usage is allowed.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M07	MEDIUM	Missing untrusted-data boundary declaration	No	Skill includes an explicit "Security: External Data Boundary" section in both SKILL.md and SUMMARY.md treating all API responses as untrusted.
M08	MEDIUM	External-data field passthrough	No	Skill enumerates specific safe fields (chain_name, share_pct, protocol_name, asset_symbol, supply_apy_total, supply_tvl) for rendering in comparison tables.

No other static rules match. No curl|sh, no credential access, no persistence, no obfuscation, no prompt injection, no hardcoded secrets, no dangerous network patterns, no resource exhaustion, no skill chaining.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No hidden/jailbreak instructions; CLI param injection N/A (no CLI).
L-MALI	CRITICAL	No	0.95	Stated purpose (cross-chain stablecoin analytics) matches actual behavior (two GET calls + table rendering).
L-MEMA	HIGH	No	0.95	No writes to MEMORY.md, SOUL.md, or persistent memory files.
L-IINJ	INFO	Yes	1.00	Calls external API (api.barker.money); explicit untrusted-data declaration present → INFO.
L-AEXE	INFO	No	0.95	No autonomous execution — purely advisory, returns tables.
L-FINA	—	No	1.00	Read-only — exempt (no financial operations).
L-FISO	INFO	N/A	1.00	Single API host, scope clearly limited; no fund handling.

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. No combination of network access + sensitive paths + financial operations.

Prompt Injection Scan

No ignore previous instructions, no pseudo-system tags, no base64 payloads, no Unicode obfuscation, no HTML-comment-hidden directives. Triggers list is keyword-based and benign.

Result: ✅ Clean

Dangerous Operations Check

No transfers, signing, contract calls, or transaction broadcasts. Plugin is pure read-only data retrieval.

Result: ✅ Safe

Data Exfiltration Risk

Plugin transmits only public query parameters (chain name, asset symbol, sort, limit) to api.barker.money. No wallet addresses, no balances, no signatures, no PII. SUMMARY.md and SKILL.md both explicitly state this.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

7. Code Review

Quality Score: 92/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	22/25	Clear data sources, response shapes documented, example interaction provided. No rate-limit handling instructions for the LLM (30 req/min could be hit).
Clarity (descriptions, no ambiguity)	24/25	Crisp instructions; explicit decimal-to-percentage conversion warning is excellent.
Security Awareness (confirmations, slippage, limits)	25/25	Explicit untrusted-data declaration; clear statement that no PII is transmitted; "Information only" disclaimer.
Skill Routing (defers correctly, no overreach)	14/15	Stays in analytics scope; explicitly warns about cross-chain bridging risk and defers actual execution.
Formatting (markdown, tables, code blocks)	7/10	Good tables and code blocks. Minor: chain-profile knowledge could become stale (curated TVL share percentages are baked into SKILL.md).

Strengths

• Excellent untrusted-data boundary declaration in both SKILL.md and SUMMARY.md.
• Clear field-level enumeration of safe data (M08 satisfied).
• Transparent about API scope, no PII / wallet data transmitted.

Issues Found

• 🔵 Minor: Curated chain TVL share percentages in SKILL.md (e.g. "Ethereum ~55%") can drift from live API data; consider noting these are approximate ranges or refreshing periodically.
• 🔵 Minor: No guidance on rate-limit handling (30 req/min); LLMs that make many parallel calls could 429.

8. Language Check

File	Language Detected	English?
SKILL.md	English (with a few Chinese trigger keywords listed)	✅
SUMMARY.md	English	✅

Chinese phrases in SKILL.md ("哪条链稳定币多", "找稳定币理财，上 Barker") are localized trigger keywords and brand slogan — body text is English.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1,955 chars

11. Recommendations

1. (Minor) Add a brief note in SKILL.md instructing the LLM to handle HTTP 429 rate-limit responses gracefully (the public API caps at 30 req/min).
2. (Minor) Mark the hardcoded chain TVL share percentages in "Chain Profiles" as approximate/historical and remind the LLM to prefer live share_pct values from /market/overview over the curated numbers.
3. (Optional) Consider adding a SHA256 or version pin if Barker ever changes the API response shape, to avoid silent field drift.

12. Reviewer Summary

One-line verdict: Clean, well-scoped read-only analytics plugin with strong security hygiene and explicit untrusted-data declarations — ready to merge.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

Minor improvements (non-blocking) listed in Recommendations above.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: stablecoin-chain-explorer

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI