[new-plugin] stablecoin-yield-radar

[skylavis-sky]

Plugin Submission

Plugin name: stablecoin-yield-radar
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 88/100

Plugin: stablecoin-yield-radar | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~406461+4123 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	stablecoin-yield-radar
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low

Summary: A read-only analytics skill that queries Barker's public API (api.barker.money) to surface real-time stablecoin yield APY rankings across 500+ DeFi protocols and 20+ CEX. Returns a ranked table of APY, TVL, protocol, and chain for stablecoins like USDT, USDC, DAI, USDe.

Target Users: DeFi users, yield farmers, and crypto investors looking to compare stablecoin lending/earning opportunities across protocols and chains.

2. Architecture Analysis

Components:
Skill only (no binary, no scripts).

Skill Structure:
SKILL.md contains: Overview, When to Activate (trigger keywords), Data Source (single GET endpoint with query params), Response format, How to Present Results (formatting rules), Example Interaction, About Barker, Important Notes, and a Security: External Data Boundary section. No commands/scripts — pure routing prompt.

Data Flow:
LLM agent → HTTP GET to https://api.barker.money/api/public/v1/defi/vaults with query params (asset, chain, sort, limit) → parse JSON response → format as ranked table for user.

Dependencies:

• Single external API: api.barker.money (public, no API key, 30 req/min rate limit)
• No CLI dependencies, no other skills, no onchainos.

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
None	N/A	N/A	Plugin does not use onchainos

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No	—	High
Sign message	No	—	High
Contract call	No	—	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://api.barker.money/api/public/v1/defi/vaults	Query stablecoin yield index	Low
https://barker.money	Attribution link (display only)	Low
https://app.barker.money/enterprise	Reference to enterprise API (display only)	Low

Chains Operated On

None directly. The skill references chain names (ethereum, bsc, arbitrum, base, polygon) as filter parameters but performs no on-chain operations.

Overall Permission Summary

This is a pure read-only analytics skill. It makes unauthenticated GET requests to a single public API endpoint (api.barker.money) to fetch stablecoin yield data. It accesses no wallet, no keys, no private data — only sends public filter parameters (asset symbol, chain, sort order, limit). No transactions, no signing, no contract calls. Nothing dangerous.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — this plugin performs no on-chain operations. It is a read-only data aggregation skill.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	No signing
Transaction broadcasting	N/A	No	No broadcasts
DEX swap execution	N/A	No	No swaps
Token approval	N/A	No	No approvals
Contract calls	N/A	No	No contract calls
Token transfers	N/A	No	No transfers

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker public API	api.barker.money/api/public/v1/defi/vaults	Stablecoin yield APY/TVL data

External APIs / Libraries Detected

• api.barker.money (single public endpoint, no auth)

Verdict: ✅ Fully Compliant

The plugin performs only data queries via an external public API. Since it has zero on-chain write operations, onchainos compliance is not applicable. The plugin correctly stays in its analytics lane.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
H05	INFO	Contains data API endpoint (informational)	No (read-only data, no financial write ops)	API is read-only analytics; doesn't trigger H05 financial-action pattern
M03	MEDIUM	Pulls external content (potential indirect prompt injection vector)	Partial	SKILL.md instructs agent to fetch from api.barker.money. Mitigated by explicit "Security: External Data Boundary" section instructing agent to treat returned strings as data.
M07	MEDIUM	Missing untrusted-data boundary declaration	No	Explicitly declares external API responses as untrusted external content in the "Security: External Data Boundary" section.
M08	INFO	External data field passthrough	No	Display instructions enumerate specific fields (Protocol, Chain, Asset, APY, TVL) — field-level isolation is present.

No other rules matched.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No hidden instructions, no jailbreak patterns, no role manipulation.
L-MALI	CRITICAL	No	0.9	Declared purpose (yield data aggregation) matches actual behavior (HTTP GET to public API).
L-MEMA	HIGH	No	0.95	No attempts to write to MEMORY.md or persist instructions.
L-IINJ	INFO	Yes	0.9	External request to api.barker.money is declared; boundary statement is present in skill. INFO-level.
L-AEXE	INFO	No	0.9	No autonomous execution risk — purely read-only data fetching.
L-FINA	INFO	No	0.95	Read-only (no swap/transfer/sign) — exempt per L-FINA rules. Read-only yield-query case is exempted.
L-FISO	INFO	No	0.95	Field-level enumeration is explicit (Protocol, Chain, Asset, APY, TVL).

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The plugin has no curl|sh, no credential access, no persistence, no financial write operations.

Prompt Injection Scan

No suspicious patterns found. No base64 payloads, no Unicode obfuscation, no pseudo-system tags, no HTML comment injections, no instruction-override phrases. The "Security: External Data Boundary" section explicitly addresses indirect prompt injection from API responses.

Result: ✅ Clean

Dangerous Operations Check

The plugin performs no transfers, signing, contract calls, or transaction broadcasts. It is read-only.

Result: ✅ Safe

Data Exfiltration Risk

Only public, non-sensitive filter parameters (asset symbol, chain name, sort order, limit) are sent to api.barker.money. No wallet addresses, balances, signatures, private keys, or PII are transmitted. The SUMMARY.md explicitly confirms this scope.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security (if source code is included)

Skipped — no source code; pure SKILL.md plugin with no scripts or binaries.

7. Code Review

Quality Score: 88/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	21/25	Clear endpoint, params table, example response. No explicit error-handling guidance for API failures or rate limits (30 req/min).
Clarity (descriptions, no ambiguity)	24/25	Excellent: APY decimal-vs-percent warning, example interaction, CEX scope clarification.
Security Awareness (confirmations, slippage, limits)	24/25	Strong: explicit "External Data Boundary" section, no PII transmission, read-only.
Skill Routing (defers correctly, no overreach)	14/15	Stays in lane; correctly redirects CEX detail queries to barker.money website / enterprise API.
Formatting (markdown, tables, code blocks)	5/10	Well-formatted tables, code blocks, sections. Minor: could include a bullet list of supported assets/chains.

Strengths

• Excellent external data boundary declaration — proactively addresses indirect prompt injection.
• Clear data presentation rules (APY decimal conversion, TVL human-readable formatting, top-3 highlight).
• Honest scope disclosure — clarifies CEX detail is not in the public API and points to the website.

Issues Found

• 🔵 Minor: No explicit guidance for handling HTTP errors, rate-limit responses (429), or empty result sets.
• 🔵 Minor: The tags list in YAML frontmatter is duplicated/extensive; could be trimmed.

8. Language Check

File	Language Detected	English?
SKILL.md	English (with a few Chinese trigger keywords as examples)	✅
SUMMARY.md	English	✅

Body text is primarily English. The Chinese trigger keywords ("稳定币收益", "稳定币理财") are acceptable as keyword examples for multilingual user activation.

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1967 chars

11. Recommendations

1. Add brief error-handling guidance to SKILL.md: what the assistant should say when the API returns an empty list, a 429 rate-limit, or 5xx error.
2. Consider listing the canonical supported assets and chains explicitly in SKILL.md (or link to a discovery endpoint) so the agent doesn't guess.
3. Trim or consolidate the YAML tags list — many tags overlap (e.g., "yield" / "yield-farming" / "DeFi yield").
4. (Optional) Add a brief note on response caching expectations / freshness windows, since APY data changes frequently.

12. Reviewer Summary

One-line verdict: A clean, well-scoped read-only analytics skill that queries a single public API for stablecoin yield data — no on-chain operations, no credential access, no security red flags.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

Non-blocking improvements: add API error-handling guidance, list canonical supported assets/chains, trim redundant YAML tags.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/stablecoin-yield-radar...

  ⚠️  [W100] suspicious pattern: 'curl ' — contains curl command — external network request
  ⚠️  [W140] SKILL.md references 8 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://app.barker.money/enterprise', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'stablecoin-yield-radar' passed with 2 warning(s)

→ Proceeding to Phase 2: Build Verification

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: stablecoin-yield-radar

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI