[new-plugin] stablecoin-risk-check

[skylavis-sky]

Plugin Submission

Plugin name: stablecoin-risk-check
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/stablecoin-risk-check...

  ⚠️  [W140] SKILL.md references 9 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'stablecoin-risk-check' passed with 1 warning(s)

→ Proceeding to Phase 2: Build Verification

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 88/100

Plugin: stablecoin-risk-check | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~407800+4323 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	stablecoin-risk-check
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low

Summary: An educational skill that provides structured risk assessments for major stablecoins (USDT, USDC, DAI, USDe, etc.) covering depeg history, reserve composition, audits, and regulatory exposure. The risk knowledge base is embedded in the SKILL.md itself; an optional Barker API may be referenced for cross-checking live yields.

Target Users: DeFi users, yield farmers, and crypto analysts who want a quick safety profile of a stablecoin before allocating capital.

2. Architecture Analysis

Components:

• Skill only (SKILL.md + SUMMARY.md). No binary, no scripts.

Skill Structure:
SKILL.md contains: Overview, When to Activate (trigger keywords), Knowledge Base (Tier 1/2/3 stablecoin data), Risk Assessment Framework (6 weighted dimensions), result format template, example interaction, About Barker, and a Security/External Data Boundary section. No onchainos commands; no executable command index.

Data Flow:
The skill is essentially a static knowledge base + scoring framework injected into the LLM context. The plugin.yaml lists api.barker.money as an external API, but SKILL.md describes the API as "optional" and does not invoke it in any documented flow. No wallet, transaction, or signing operations occur.

Dependencies:

• Optional: api.barker.money (public read-only API, 30 req/min, no auth)
• No CLI tools, no on-chain libraries, no wallet integrations

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
(none)	N/A	N/A	Plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No		Low
Send transaction	No		High
Sign message	No		High
Contract call	No		High

External APIs / URLs

URL / Domain	Purpose	Risk
https://barker.money	Marketing / attribution link	Low
https://api.barker.money/api/public/v1	Optional public stablecoin yield API (read-only, no auth)	Low
app.barker.money/enterprise	Marketing link	Low

Chains Operated On

None. The skill operates entirely at the informational/educational layer and does not interact with any blockchain.

Overall Permission Summary

This plugin is a read-only, educational risk-assessment skill. It does not access wallets, sign transactions, send funds, or call any on-chain contract. The only external surface is an optional public API (api.barker.money) for cross-referencing yields, and SKILL.md explicitly states no PII / wallet data is transmitted. Risk surface is minimal.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — the plugin performs no on-chain write operations.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No
Transaction broadcasting	N/A	No
DEX swap execution	N/A	No
Token approval	N/A	No
Contract calls	N/A	No
Token transfers	N/A	No

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker public API	api.barker.money (optional)	Stablecoin yield data cross-reference

External APIs / Libraries Detected

• api.barker.money — declared in plugin.yaml, mentioned in SKILL.md/SUMMARY.md, no actual fetch/curl/HTTP invocation present.

Verdict: ✅ Fully Compliant

The plugin is informational only and performs no on-chain operations, so onchainos compliance is not applicable. Using an optional third-party data API for non-on-chain stablecoin yield information is acceptable.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M07	MEDIUM	Missing untrusted-data-boundary declaration	❌	SKILL.md includes an explicit "Security: External Data Boundary" section stating that knowledge base and API values are untrusted external content. Declaration present.
M08	MEDIUM	External-data field passthrough	❌	SKILL.md instructs the assistant to surface names verbatim as data and explicitly enumerates safe field types (asset names, protocol names, APY numbers). Field-level guidance present.

No other static rules (C01-C09, H01-H09, M01-M06, L01-L02) match. No curl|sh, no base64 obfuscation, no hardcoded credentials, no env-var exfiltration, no persistence, no sensitive path access, no resource exhaustion, no skill chaining, no dynamic install.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No hidden instructions, no jailbreak language, no pseudo-system tags
L-MALI	CRITICAL	No	0.95	Stated purpose (risk education) matches actual content; no covert behavior
L-MEMA	HIGH	No	0.98	No writes to MEMORY.md, SOUL.md, or any persistent file
L-IINJ	INFO	Yes	0.9	Skill references api.barker.money as optional external data; M07-style untrusted-data declaration is present → INFO only
L-AEXE	INFO	No	0.95	No autonomous execution authority; skill is read-only educational
L-FINA	INFO	No (read-only)	0.98	No financial write operations; pure read-only educational content — exempt
L-FISO	INFO	N/A	0.95	No fund operations

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The skill has no command-injection, no persistence, no sensitive-path access, no credential handling, and no financial write operations to combine.

Prompt Injection Scan

No instruction overrides, no identity manipulation, no hidden base64/unicode content, no HTML-comment-embedded directives, no confirmation bypass, no pseudo-system tags. Trigger keyword list is benign and clearly scoped.

Result: ✅ Clean

Dangerous Operations Check

No transfers, signing, contract calls, or broadcasting. The skill is informational only.

Result: ✅ Safe

Data Exfiltration Risk

SKILL.md explicitly states "no wallet addresses, balances, signatures, private keys, or PII are transmitted." Only an optional public API for stablecoin parameters is referenced. No env-var reads, no file reads, no outbound credential transmission.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security (if source code is included)

Skipped — plugin has no source code / no build section. Skill-only submission.

7. Code Review

Quality Score: 88/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	22/25	Clear scope, well-structured knowledge base, complete framework. No pre-flight needed (no CLI). Could mention how to handle outdated tier data more explicitly.
Clarity (descriptions, no ambiguity)	23/25	Descriptions are concrete, trigger keywords explicit (EN+CN), framework dimensions and weights stated clearly.
Security Awareness (confirmations, slippage, limits)	23/25	Explicit "not financial advice" disclaimer, untrusted-data boundary section, and "verify current status before large allocations" note. Educational scope keeps risk surface small.
Skill Routing (defers correctly, no overreach)	14/15	Defers live yield lookups to stablecoin-yield-radar skill explicitly. Stays in its lane.
Formatting (markdown, tables, code blocks)	6/10	Good use of tables and tier breakdowns. Minor: marketing line "找稳定币理财，上 Barker" embedded in About section feels promotional inside the skill body.

Strengths

• Well-defined educational scope with no on-chain write operations — minimal security surface.
• Explicit M07-style untrusted-data boundary declaration matches Plugin Store security expectations.
• Clear skill-routing note that defers live yield queries to a separate skill (good separation of concerns).

Issues Found

• 🔵 Minor: Marketing copy (找稳定币理财，上 Barker → https://barker.money, Need institutional-grade data? → app.barker.money/enterprise) is embedded mid-skill. Acceptable, but consider consolidating attribution at the bottom rather than mid-document.
• 🔵 Minor: Tier data (market caps, audit firms, depeg history dates) will go stale over time. Consider adding a "last updated" stamp and a note advising users to verify time-sensitive figures.
• 🔵 Minor: The plugin.yaml lists api.barker.money under api_calls, but SKILL.md never actually invokes it. Either document the invocation pattern or remove from api_calls to keep the declaration accurate.

8. Language Check

File	Language Detected	English?
SKILL.md	English (with minor Chinese trigger keywords + one Chinese marketing line)	✅
SUMMARY.md	English	✅

Body text in both files is primarily English. Chinese tokens are limited to trigger keywords (acceptable per the multilingual trigger pattern) and a single short marketing line.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1976 chars

11. Recommendations

1. (Minor) Add a "Knowledge base last updated: YYYY-MM-DD" stamp so users understand the curated data has a temporal scope.
2. (Minor) Either remove api.barker.money from plugin.yaml api_calls or add a concrete usage flow in SKILL.md showing when/how the API is invoked. Today the declaration and the SKILL.md content don't align.
3. (Minor) Move the two promotional one-liners (找稳定币理财，上 Barker → https://barker.money, enterprise upgrade link) into a single dedicated footer/attribution block rather than placing them inline in the About section.
4. (Optional) Consider adding an explicit note that the assessment is based on data as of a specific snapshot, and recommending users cross-check with the live Barker site for the latest tier classifications.

12. Reviewer Summary

One-line verdict: A well-scoped, low-risk educational skill that provides structured stablecoin risk assessments without any on-chain operations, with proper untrusted-data boundary handling.

Merge recommendation: ✅ Ready to merge

Blockers (if any):

No blockers found.

Non-blocking improvements above are nice-to-have but not required for merge.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: stablecoin-risk-check

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI