[new-plugin] stablecoin-market-brief

[skylavis-sky]

Plugin Submission

Plugin name: stablecoin-market-brief
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 92/100

Plugin: stablecoin-market-brief | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~406249+4083 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	stablecoin-market-brief
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low

Summary: A read-only analytics skill that fetches stablecoin market overview data (market cap, asset/chain distribution, APY benchmark) from Barker's public API (api.barker.money). It provides users with a formatted snapshot of the stablecoin market landscape.

Target Users: DeFi users, analysts, and researchers wanting a quick stablecoin market overview, TVL distribution, and yield landscape comparison vs. Treasury rates.

2. Architecture Analysis

Components:

• Skill only (SKILL.md + SUMMARY.md). No binary, no source code.

Skill Structure:
SKILL.md has clear sections: Overview, When to Activate, Data Sources (with 2 API endpoints documented), How to Present Results, Example Interaction, About Barker, Important Notes, and a Security: External Data Boundary section. ~110 lines, well-organized.

Data Flow:

1. User asks about stablecoin market.
2. LLM calls GET https://api.barker.money/api/public/v1/market/overview (no params).
3. Optionally calls GET https://api.barker.money/api/public/v1/market/trend?days=N for trend data.
4. LLM formats JSON response into a readable snapshot with attribution.

Dependencies:

• External: api.barker.money public read-only API (no auth, 30 req/min rate limit).
• No CLI tools, no onchainos commands, no wallet operations.

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
(none)	N/A	N/A	This plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No		High
Sign message	No		High
Contract call	No		High

External APIs / URLs

URL / Domain	Purpose	Risk
https://api.barker.money/api/public/v1/market/overview	Fetch stablecoin market overview	Low
https://api.barker.money/api/public/v1/market/trend?days=N	Fetch historical APY trend	Low
https://barker.money	Attribution link (display only)	Low

Chains Operated On

None. This is a pure off-chain analytics skill that aggregates DeFi data presented through Barker's API.

Overall Permission Summary

This plugin is read-only and operates entirely off-chain. It only reads public market data from api.barker.money (no auth, no PII, no wallet data). No transactions, no signing, no on-chain operations. Risk surface is limited to potential prompt injection via API response fields (mitigated by explicit external data boundary declaration).

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — This plugin performs no on-chain operations.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	Not applicable
Transaction broadcasting	N/A	No	Not applicable
DEX swap execution	N/A	No	Not applicable
Token approval	N/A	No	Not applicable
Contract calls	N/A	No	Not applicable
Token transfers	N/A	No	Not applicable

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker	api.barker.money/api/public/v1/market/overview	Stablecoin market cap & distribution
Barker	api.barker.money/api/public/v1/market/trend	Historical APY trends

External APIs / Libraries Detected

• api.barker.money (single public API, no auth required)

Verdict: ✅ Fully Compliant

No on-chain operations are performed; onchainos is not required. Using a third-party data API is explicitly allowed per the review rules.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M07	MEDIUM	Missing untrusted-data-boundary declaration	❌	NOT matched — SKILL.md includes an explicit "Security: External Data Boundary" section stating that all API responses are untrusted external content
M08	MEDIUM	External-data field passthrough	❌	NOT matched — SKILL.md specifies which fields to display (market cap, asset/chain percentages, APY) and the boundary section instructs the assistant not to act on embedded instructions

No other rules matched. No curl|sh, no prompt injection patterns, no obfuscation, no credential handling, no persistence, no sensitive paths, no resource exhaustion patterns.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No hidden instructions, no role overrides, no Unicode/base64 smuggling
L-MALI	CRITICAL	No	0.92	Stated purpose (analytics) matches actual behavior (read-only API calls)
L-MEMA	HIGH	No	0.95	No memory file writes
L-IINJ	INFO	Yes	0.95	Fetches from api.barker.money; SKILL.md includes the required "untrusted external content" declaration → INFO only
L-AEXE	INFO	No	0.90	No autonomous execution; purely a query-and-format flow
L-FINA	INFO	No (read-only)	0.95	Exempt — no financial write operations
L-FISO	INFO	No	0.90	No fund isolation concerns; no funds involved

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The plugin does not match any of the chain triggers (no sensitive-data-access, no command-injection, no direct-financial write operations, no missing boundary declaration).

Prompt Injection Scan

No instruction overrides, identity manipulation, hidden behavior, confirmation bypass, base64/Unicode smuggling, or HTML comment injection found. Content is straightforward documentation.

Result: ✅ Clean

Dangerous Operations Check

No transfers, signing, contract calls, or transaction broadcasting. The plugin is purely a data-fetching skill.

Result: ✅ Safe

Data Exfiltration Risk

No environment variable access, no file system reads, no credential paths. The plugin only sends days query parameter (no user data) to the public Barker API. SUMMARY.md explicitly states no PII/wallet data is transmitted.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security (if source code is included)

Skipped — plugin has no source code or binary component.

7. Code Review

Quality Score: 92/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	22/25	Clear API documentation with field types/units; no explicit error handling guidance for rate limits or API failures
Clarity (descriptions, no ambiguity)	24/25	Excellent — units (decimal vs percent) explicitly called out, example interaction included
Security Awareness (confirmations, slippage, limits)	25/25	Explicit external data boundary section; no sensitive operations; rate-limit/no-PII disclosure
Skill Routing (defers correctly, no overreach)	14/15	Well-scoped to market overview; doesn't try to do swaps/wallet ops
Formatting (markdown, tables, code blocks)	7/10	Generally good, but example output structure could be more uniform

Strengths

• Explicit external data boundary declaration satisfies M07/M08 — a notable strength that many analytics plugins miss.
• Clear unit documentation (decimal vs. percentage, USD raw values) prevents formatting errors by the consuming LLM.
• Privacy-positive: explicitly states no wallet addresses, PII, or signatures are transmitted.

Issues Found

• 🔵 Minor: SKILL.md does not document the response shape for error cases (rate-limit exceeded, API downtime). Adding a brief "if success: false, surface the error gracefully" note would improve robustness.
• 🔵 Minor: The quickstart invocation mentioned in SUMMARY.md ("stablecoin-market-brief quickstart") is not defined anywhere in SKILL.md. Either remove that line from SUMMARY.md or document the quickstart trigger.
• 🔵 Minor: SKILL.md tags field uses an unusual frontmatter format compared to the standard metadata: block; harmless but inconsistent with examples like okx-dex-market.

8. Language Check

File	Language Detected	English?
SKILL.md	English (with minor Chinese marketing tagline at end)	✅
SUMMARY.md	English	✅

The body of both files is primarily English. SKILL.md contains a single Chinese marketing tagline ("找稳定币理财，上 Barker → https://barker.money") which is acceptable as a brand-specific phrase.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1,893 chars

11. Recommendations

1. 🔵 Document error response handling in SKILL.md (e.g., what to do when success: false or when rate-limit hits). A one-line guidance is enough.
2. 🔵 Either remove "stablecoin-market-brief quickstart" from SUMMARY.md Quick Start step 1, or add a quickstart trigger description to SKILL.md.
3. 🔵 Consider aligning frontmatter to use the metadata: block format used by official skills for consistency (cosmetic).

12. Reviewer Summary

One-line verdict: A clean, well-documented, read-only analytics skill with explicit external data boundary handling and zero on-chain risk surface.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

Non-blocking improvements (see Recommendations above): document API error handling, remove or define the quickstart reference in SUMMARY.md, and optionally align frontmatter style with other OKX skills.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/stablecoin-market-brief...

  ⚠️  [W140] SKILL.md references 7 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'stablecoin-market-brief' passed with 1 warning(s)

→ Proceeding to Phase 2: Build Verification

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: stablecoin-market-brief

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI