[new-plugin] stablecoin-depeg-monitor

[skylavis-sky]

Plugin Submission

Plugin name: stablecoin-depeg-monitor
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 86/100

Plugin: stablecoin-depeg-monitor | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~407104+3676 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	stablecoin-depeg-monitor
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low

Summary: A read-only analytics skill that monitors stablecoin peg stability by calling Barker's public market overview API and provides a curated historical depeg incident database for major stablecoins (USDT, USDC, DAI, USDe, FDUSD, UST).

Target Users: DeFi users, stablecoin holders, and analysts who want quick depeg risk assessments and historical context on past depeg events.

2. Architecture Analysis

Components:

• Skill only (SKILL.md + SUMMARY.md). No binary, no source code.

Skill Structure:
SKILL.md contains: Overview, When to Activate, Data Source, Risk Alert Framework (threshold table), Historical Depeg Database (6 curated incidents), How to Present Results, Example Interaction, About Barker, Important Notes, and Security: External Data Boundary section. No CLI commands defined.

Data Flow:

1. User asks about stablecoin peg/depeg.
2. Agent calls GET https://api.barker.money/api/public/v1/market/overview.
3. Agent parses asset_distribution[] (TVL, share_pct).
4. Agent presents peg status table with historical context.
5. No wallet data, no signing, no transactions.

Dependencies:

• External API: api.barker.money (public, no auth, rate-limited 30 req/min)
• Optional: external price feeds (CoinGecko, DEX/CEX) — mentioned but not called by the skill itself

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
None	N/A	N/A	Plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No	—	High
Sign message	No	—	High
Contract call	No	—	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://api.barker.money/api/public/v1/market/overview	Stablecoin TVL/market stress data	Low
https://barker.money	Attribution link	Low

Chains Operated On

None — read-only off-chain analytics.

Overall Permission Summary

This plugin is purely informational. It instructs the agent to call a single public API endpoint at api.barker.money to retrieve stablecoin TVL data, then combine it with an embedded knowledge base of historical depeg events. No wallet access, no signing, no transactions, no chain interactions. The plugin explicitly disclaims it does not transmit private user data.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — plugin performs no on-chain write operations.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	No signing
Transaction broadcasting	N/A	No	No broadcasting
DEX swap execution	N/A	No	No swap
Token approval	N/A	No	No approval
Contract calls	N/A	No	No contract calls
Token transfers	N/A	No	No transfers

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker public API	api.barker.money/api/public/v1/market/overview	Stablecoin TVL and market stress signals

External APIs / Libraries Detected

• api.barker.money (single declared endpoint, matches api_calls in plugin.yaml)

Verdict: ✅ Fully Compliant

No on-chain write operations; data query via declared external API only. Onchainos usage is not required for this read-only analytics use case.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M07	MEDIUM	Missing untrusted-data boundary	No	SKILL.md includes explicit "Security: External Data Boundary" section declaring API responses as untrusted external content
M08	MEDIUM	External data field passthrough	No	Display rules enumerate specific fields (status, TVL, notes); raw API response is not passed through verbatim

No other static rules match. No curl|sh, no credential access, no eval, no obfuscation, no persistence, no prompt injection patterns.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No hidden/jailbreak instructions; no system tags
L-MALI	CRITICAL	No	0.95	Behavior matches declared purpose (depeg monitoring)
L-MEMA	HIGH	No	0.95	No memory file writes
L-IINJ	INFO	Yes	0.95	External request to api.barker.money — explicit boundary declaration present → INFO
L-AEXE	INFO	No	0.9	Read-only; no autonomous execution paths
L-FINA	INFO	No (read-only)	0.95	No financial operations — exempt
L-FISO	INFO	N/A	—	No financial scope

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The skill has no financial operations, no credential access, and no command injection patterns.

Prompt Injection Scan

No instruction overrides, hidden behavior, base64 payloads, invisible chars, or confirmation bypass.

Result: ✅ Clean

Dangerous Operations Check

No transfers, signing, or contract calls.

Result: ✅ Safe

Data Exfiltration Risk

Skill explicitly states no wallet addresses, balances, signatures, or PII are transmitted. Only public stablecoin parameters sent to Barker API.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security (if source code is included)

Skipped — plugin has no source code or binary.

7. Code Review

Quality Score: 86/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	21/25	Clear data source, response schema, and thresholds; no error-handling guidance for API failures (rate limit, 5xx)
Clarity (descriptions, no ambiguity)	23/25	Trigger keywords, thresholds, and example interaction are well-defined
Security Awareness (confirmations, slippage, limits)	23/25	Explicit external-data boundary section; no signing/financial ops to worry about
Skill Routing (defers correctly, no overreach)	13/15	Mentions cross-checking with external price feeds but doesn't overreach; could clarify when to defer to a price-feed skill
Formatting (markdown, tables, code blocks)	9/10	Clean tables, well-structured sections

Strengths

• Explicit "Security: External Data Boundary" section satisfies M07 untrusted-data declaration
• Single declared external API matches api_calls in plugin.yaml — full transparency
• Clear privacy stance: no wallet data, no PII transmitted

Issues Found

• 🔵 Minor: No guidance for handling API rate limits (30 req/min) or transient failures
• 🔵 Minor: Skill notes that peg prices require external feeds but doesn't specify a deterministic fallback; could leave the agent guessing in Yellow/Red threshold checks
• 🔵 Minor: Historical depeg dates are static — consider noting "last updated" date for the database

8. Language Check

File	Language Detected	English?
SKILL.md	English (with small Chinese trigger phrases as keywords)	✅
SUMMARY.md	English	✅

Minor Chinese trigger keywords (脱锚, 稳定币价格, etc.) are acceptable — they aid multilingual user routing without changing the body language.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1909 chars

11. Recommendations

1. Add brief error-handling guidance for API rate limits (30 req/min) and 5xx failures so the agent gracefully degrades to historical-context-only mode.
2. Specify a deterministic price-feed fallback (e.g., explicit cross-check with okx-dex-market) for the Yellow/Red threshold logic — currently the skill says "cross-check with a price feed" without naming one.
3. Add a "last updated" date or version tag to the Historical Depeg Database so users know the recency of the curated incidents.
4. Consider documenting the response schema's full shape (not just relevant fields) so the agent can handle unexpected fields gracefully.

12. Reviewer Summary

One-line verdict: A clean, low-risk, read-only analytics skill calling a single declared public API with explicit untrusted-data boundary and no financial operations.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

Non-blocking improvements listed in Recommendations above can be addressed in a follow-up patch.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/stablecoin-depeg-monitor...

  ⚠️  [W140] SKILL.md references 6 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'stablecoin-depeg-monitor' passed with 1 warning(s)

→ Proceeding to Phase 2: Build Verification

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: stablecoin-depeg-monitor

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI