defi-risk-analysis
Evaluates DeFi protocols' risk profiles by analyzing smart contracts, governance, and historical performance to identify vulnerabilities.
Install this skill
Security score
The defi-risk-analysis skill was audited on May 26, 2026 and we found 42 security issues across 3 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 734 | ``` |
Curl to non-GitHub URL
| 39 | curl -s 'https://api.llama.fi/protocols' | jq -r '.[] | select(.name | test("{protocol}"; "i")) | "\(.slug) -- \(.name) -- TVL: \(.tvl)"' |
Curl to non-GitHub URL
| 42 | Then fetch full data with the resolved slug: `curl -s 'https://api.llama.fi/protocol/{slug}'` to get: |
Curl to non-GitHub URL
| 48 | curl -s "https://api.gopluslabs.io/api/v1/token_security/<chain_id>?contract_addresses=<address>" |
Curl to non-GitHub URL
| 69 | - **RugCheck**: `curl -s 'https://api.rugcheck.xyz/v1/tokens/{mint_address}/report'` -- returns risk score, mutable metadata, freeze authority, mint authority, top holders, LP lock status |
Curl to non-GitHub URL
| 70 | - **Birdeye**: `curl -s -H 'X-API-KEY: public' 'https://public-api.birdeye.so/public/token_security?address={mint_address}'` -- holder concentration, LP info |
Curl to non-GitHub URL
| 81 | curl -s "https://api.gopluslabs.io/api/v1/address_security/<address>?chain_id=<chain_id>" |
Curl to non-GitHub URL
| 206 | curl -s 'https://api.llama.fi/protocol/{slug}' | jq '{audits, audit_note, audit_links}' |
Curl to non-GitHub URL
| 416 | curl -s "https://api.etherscan.io/api?module=contract&action=getsourcecode&address=<address>&apikey=<key>" |
Curl to non-GitHub URL
| 418 | curl -s "https://api.arbiscan.io/api?module=contract&action=getsourcecode&address=<address>&apikey=<key>" |
Curl to non-GitHub URL
| 580 | curl -s "https://api.etherscan.io/api?module=logs&action=getLogs&address={proxy}&topic0=0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b&apikey={key}" |
External URL reference
| 39 | curl -s 'https://api.llama.fi/protocols' | jq -r '.[] | select(.name | test("{protocol}"; "i")) | "\(.slug) -- \(.name) -- TVL: \(.tvl)"' |
External URL reference
| 42 | Then fetch full data with the resolved slug: `curl -s 'https://api.llama.fi/protocol/{slug}'` to get: |
External URL reference
| 48 | curl -s "https://api.gopluslabs.io/api/v1/token_security/<chain_id>?contract_addresses=<address>" |
External URL reference
| 69 | - **RugCheck**: `curl -s 'https://api.rugcheck.xyz/v1/tokens/{mint_address}/report'` -- returns risk score, mutable metadata, freeze authority, mint authority, top holders, LP lock status |
External URL reference
| 70 | - **Birdeye**: `curl -s -H 'X-API-KEY: public' 'https://public-api.birdeye.so/public/token_security?address={mint_address}'` -- holder concentration, LP info |
External URL reference
| 81 | curl -s "https://api.gopluslabs.io/api/v1/address_security/<address>?chain_id=<chain_id>" |
External URL reference
| 206 | curl -s 'https://api.llama.fi/protocol/{slug}' | jq '{audits, audit_note, audit_links}' |
External URL reference
| 218 | https://{domain}/audits |
External URL reference
| 219 | https://{domain}/security |
External URL reference
| 416 | curl -s "https://api.etherscan.io/api?module=contract&action=getsourcecode&address=<address>&apikey=<key>" |
External URL reference
| 418 | curl -s "https://api.arbiscan.io/api?module=contract&action=getsourcecode&address=<address>&apikey=<key>" |
External URL reference
| 580 | curl -s "https://api.etherscan.io/api?module=logs&action=getLogs&address={proxy}&topic0=0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b&apikey={key}" |
External URL reference
| 721 | - Squads v3/v4 multisig: follow up at https://v4.squads.so/ for threshold/members |
External URL reference
| 1015 | - Protocol info: `https://api.llama.fi/protocol/{slug}` |
External URL reference
| 1016 | - All protocols: `https://api.llama.fi/protocols` |
External URL reference
| 1018 | - Yields: `https://yields.llama.fi/pools` |
External URL reference
| 1022 | Base URL: `https://api.gopluslabs.io/api/v1` |
External URL reference
| 1048 | | Ethereum | `https://safe-transaction-mainnet.safe.global/api/v1` | |
External URL reference
| 1049 | | Arbitrum | `https://safe-transaction-arbitrum.safe.global/api/v1` | |
External URL reference
| 1050 | | Polygon | `https://safe-transaction-polygon.safe.global/api/v1` | |
External URL reference
| 1051 | | Optimism | `https://safe-transaction-optimism.safe.global/api/v1` | |
External URL reference
| 1052 | | Base | `https://safe-transaction-base.safe.global/api/v1` | |
External URL reference
| 1053 | | BSC | `https://safe-transaction-bsc.safe.global/api/v1` | |
External URL reference
| 1063 | | 1 (Ethereum) | `https://api.etherscan.io/api` | |
External URL reference
| 1064 | | 56 (BSC) | `https://api.bscscan.com/api` | |
External URL reference
| 1065 | | 137 (Polygon) | `https://api.polygonscan.com/api` | |
External URL reference
| 1066 | | 42161 (Arbitrum) | `https://api.arbiscan.io/api` | |
External URL reference
| 1067 | | 10 (Optimism) | `https://api-optimistic.etherscan.io/api` | |
External URL reference
| 1068 | | 8453 (Base) | `https://api.basescan.org/api` | |
External URL reference
| 1076 | - **URL**: `https://api.mainnet-beta.solana.com` (or set `SOLANA_RPC_URL` env var) |
External URL reference
| 1084 | | `https://api.solana.fm/v0/accounts/{address}` | Account label, owner program, type detection | |