[new-plugin] yield-strategy-advisor

[skylavis-sky]

Plugin Submission

Plugin name: yield-strategy-advisor
Version: 0.1.0
Author: Barker (@YBSbarker)
Type: new-plugin (skill-only)

What does this plugin do?

Checklist

• LICENSE file included
• SKILL.md with YAML frontmatter (name, description)
• SUMMARY.md with Overview / Prerequisites / Quick Start
• .claude-plugin/plugin.json present
• No reserved prefixes used
• No onchainos commands (pure skill, read-only)

---

Source: barker-stablecoin-skills-7bc027c.zip

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 86/100

Plugin: yield-strategy-advisor | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~406781+4197 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	yield-strategy-advisor
Version	0.1.0
Category	analytics
Author	Barker (YBSbarker)
License	MIT
Has Binary	No (Skill only)
Risk Level	Low (inferred — read-only analytics)

Summary: A stablecoin yield strategy advisor that queries Barker's public API to recommend diversified stablecoin allocations across DeFi and CEX venues based on user risk tolerance, capital size, and chain preference. It returns informational allocation tables and APY estimates — it does not execute trades or touch wallets.

Target Users: Stablecoin holders looking for yield allocation guidance across protocols; users new to DeFi yield strategies who want a starting framework before manually executing positions.

2. Architecture Analysis

Components:
Skill-only plugin. No binary, no build config. The SKILL.md instructs the host LLM to call Barker's public REST API and present formatted recommendations.

Skill Structure:
SKILL.md contains: Overview, Trigger keywords, 4-step Strategy Framework (assess profile → fetch data → apply templates → capital sizing), presentation rules, an example interaction, About section, important notes, and a Security/External Data Boundary section. No CLI commands — purely instructional.

Data Flow:

1. User asks about stablecoin yield strategy.
2. Skill instructs LLM to call GET https://api.barker.money/api/public/v1/defi/vaults with public params (asset/chain/sort/limit).
3. LLM formats the returned APY/TVL/protocol data into a tiered allocation table.
4. No write operations, no wallet interaction, no signing.

Dependencies:

• External API: api.barker.money (public, no auth, 30 req/min rate limit).
• No CLI tools, no onchainos commands, no SDKs.

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
(none)	N/A	N/A	Plugin does not use onchainos CLI

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	No	—	Low
Send transaction	No	—	High
Sign message	No	—	High
Contract call	No	—	High

External APIs / URLs

URL / Domain	Purpose	Risk
https://api.barker.money/api/public/v1/defi/vaults	Fetch stablecoin yield data	Low
https://barker.money	Vendor website (referenced in attribution)	Low

Chains Operated On

None directly. The skill references chains (Ethereum, Arbitrum, Base, etc.) only as filter parameters and informational fields — no on-chain operations.

Overall Permission Summary

This plugin is purely informational/advisory. It reads yield data from a single public API and presents formatted allocation recommendations. No wallet access, no signing, no transactions, no PII or sensitive data transmitted. The only external dependency is api.barker.money, which is single-vendor but public and rate-limited.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

N/A — the plugin performs no on-chain write operations. onchainos usage is optional and this plugin is read-only/advisory.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	N/A	No	No signing
Transaction broadcasting	N/A	No	No broadcasting
DEX swap execution	N/A	No	No swaps
Token approval	N/A	No	No approvals
Contract calls	N/A	No	No contract calls
Token transfers	N/A	No	No transfers

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
Barker	api.barker.money/api/public/v1/defi/vaults	Stablecoin yield aggregation across 500+ DeFi protocols + 20+ CEX

External APIs / Libraries Detected

• api.barker.money (public REST API, no auth)

Verdict: ✅ Fully Compliant

The plugin performs only read-only data queries from a third-party API — which is explicitly allowed. No on-chain writes are attempted, so onchainos compliance is N/A.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M07	MEDIUM	Missing untrusted-data boundary	No	SKILL.md explicitly includes a "Security: External Data Boundary" section stating returned values are untrusted and should not be executed.
H05	INFO	Direct financial / on-chain ops	No	No financial write operations; only read-only advisory content.

No other static rules matched. No curl | sh, no base64 obfuscation, no Unicode hidden content, no credential exfiltration, no persistence mechanisms, no hardcoded secrets, no eval/exec, no skill chaining, no pseudo-system tags, no HTML comment injection.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ	CRITICAL	No	0.95	No prompt injection, override instructions, or hidden directives.
L-MALI	CRITICAL	No	0.92	Declared purpose (stablecoin yield advisory) matches actual behavior (public API read + formatting).
L-MEMA	HIGH	No	0.95	No memory file writes or persistent behavior modification.
L-IINJ	INFO	Yes (INFO only)	0.95	External request to api.barker.money is declared; boundary statement present → INFO, no MEDIUM trigger.
L-AEXE	INFO	No	0.90	Skill is purely advisory; no autonomous execution, no fund actions.
L-FINA	INFO	No (read-only)	0.95	Read-only advisory — exempt per L-FINA rule for non-write financial scope.
L-FISO	—	—	—	No field-level passthrough concern; API response is small/structured and the skill renders to a fixed table.

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The plugin has no write operations, no curl|sh, no sensitive path access, and includes the untrusted-data boundary declaration — none of TF001–TF006 trigger conditions are met.

Prompt Injection Scan

No instruction overrides, identity manipulation, base64 payloads, invisible characters, pseudo-system tags, or HTML comment injection detected. The "Security: External Data Boundary" section is a genuine defensive instruction.

Result: ✅ Clean

Dangerous Operations Check

No transfers, no signing, no contract calls, no transaction broadcasting. The skill is purely informational.

Result: ✅ Safe

Data Exfiltration Risk

No PII, wallet addresses, balances, signatures, or private keys are transmitted. The skill explicitly states only public stablecoin/chain/sort/capital parameters are sent.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

6. Source Code Security (if source code is included)

Skipped — no source code / no build section.

7. Code Review

Quality Score: 86/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	21/25	Clear trigger keywords, strategy framework, example. No explicit error handling for API failures (rate limit, downtime).
Clarity (descriptions, no ambiguity)	22/25	Well-structured tables, explicit APY decimal warning. Trigger list is thorough.
Security Awareness (confirmations, slippage, limits)	24/25	Strong: explicit untrusted-data boundary, no PII transmission statement, "not financial advice" disclaimer.
Skill Routing (defers correctly, no overreach)	13/15	Mentions pairing with stablecoin-risk-check for safety analysis. Stays in its lane (advisory only).
Formatting (markdown, tables, code blocks)	9/10	Clean tables, good use of code fences for API endpoints.

Strengths

• Explicit untrusted-data boundary declaration (M07/M08 compliant).
• Clear disclaimer that recommendations are educational, not financial advice.
• APY decimal handling caveat is called out prominently — prevents user-facing display bugs.

Issues Found

• 🔵 Minor: No guidance for handling API rate-limit responses (30 req/min) or transient failures. Worth a 1-line note.
• 🔵 Minor: The "Quick Start" in SUMMARY.md mentions yield-strategy-advisor quickstart as if it were a command — the plugin is a skill activated by keywords, not a CLI subcommand. Slightly misleading.
• 🔵 Minor: Could enumerate the specific API response fields (e.g., protocol, chain, asset, apy, tvl) the LLM should display, which would reinforce field-level isolation (M08 best practice).

8. Language Check

File	Language Detected	English?
SKILL.md	English (with a few Chinese trigger phrases like "稳定币策略" — acceptable as locale keywords)	✅
SUMMARY.md	English	✅

9. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 1914 chars

11. Recommendations

1. Add a brief note in SKILL.md on how to handle API failures or 429 rate-limit responses (e.g., "if the API returns an error or is unreachable, inform the user and do not fabricate yield numbers").
2. Clarify in SUMMARY.md that the skill is activated by keywords/intent, not by a quickstart subcommand — current phrasing implies a CLI command.
3. Consider enumerating the specific API response fields the LLM is permitted to render (protocol, chain, asset, apy, tvl) to harden field-level isolation against future API changes that might add executable-looking fields.
4. Add an explicit warning that APY values from third-party aggregators may be stale, incentivized (and thus subject to abrupt drop), or include rewards that require manual claiming.

12. Reviewer Summary

One-line verdict: A well-scoped, low-risk read-only advisory skill that queries a single public API for stablecoin yield data and presents allocation recommendations with appropriate disclaimers and security boundaries.

Merge recommendation: ✅ Ready to merge

Blockers (if any — list every issue that MUST be fixed before merge, each prefixed with ❌):

No blockers found.

Optional improvements (non-blocking): add API error-handling guidance, clarify the "quickstart" phrasing in SUMMARY.md, and explicitly enumerate the API response fields the skill should render.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/yield-strategy-advisor...

  ⚠️  [W140] SKILL.md references 6 external URL(s) not listed in api_calls: 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money', 'https://barker.money'. Add them to api_calls in plugin.yaml so reviewers can verify them.

✓ Plugin 'yield-strategy-advisor' passed with 1 warning(s)

→ Proceeding to Phase 2: Build Verification

[plugin-store-bot]

✅ Phase 4: Publish Complete

Plugins: yield-strategy-advisor

• ✅ Build: 9 architectures compiled
• ✅ Release: GitHub Release created
• ✅ Pre-flight: injected into SKILL.md
• ✅ Registry: registry.json updated
• ✅ Merged to main

View workflow run

---

Published by Plugin Store CI