fix: add zyfai skill

[PaulDeFi]

New Skill

Skill name: skills/zyfai-yield/

Description: Earn DeFi yield on MoonPay wallets via Zyfai. Creates a non-custodial subaccount (Safe smart wallet) that automatically optimizes funds across DeFi protocols.

Primary chain: Base, Arbitrum, Plasma

Primary token: USDC, WETH

Checklist

• skills/zyfai-yield/SKILL.md with YAML frontmatter (name, description)
• Skill added to .claude-plugin/marketplace.json
• Description is specific about when Claude should trigger this skill

MoonPay Integration

This skill uses MoonPay wallets for:

• Wallet export: mp wallet export --wallet <name> to get the mnemonic
• Balance check: mp token balance list --wallet <address> --chain base before depositing
• Key derivation: Derive private key from MoonPay mnemonic to connect to Zyfai SDK

The workflow: export MoonPay wallet → derive keys → create Zyfai API key → deploy subaccount → deposit funds → earn automated yield → withdraw anytime.

Example Usage

# 1. Export MoonPay wallet
mp wallet export --wallet zyfai-base

# 2. Check balance before depositing
mp token balance list --wallet 0x... --chain base
// 3. Derive keys from mnemonic
import { HDNodeWallet } from "ethers";
const wallet = HDNodeWallet.fromPhrase("<mnemonic>");

// 4. Create API key with wallet address
// POST https://sdk.zyf.ai/api/sdk-api-keys/create

// 5. Deploy subaccount and deposit
import { ZyfaiSDK } from "@zyfai/sdk";
const sdk = new ZyfaiSDK({ apiKey: "<api-key>" });
await sdk.connectAccount("<private-key>", 8453);
await sdk.deploySafe(userAddress, 8453, "conservative");
await sdk.createSessionKey(userAddress, 8453);
await sdk.depositFunds(userAddress, 8453, "10000000"); // 10 USDC

// 6. Withdraw anytime
await sdk.withdrawFunds(userAddress, 8453);

[kevarifin14]

Detailed Review: zyfai-yield Skill

Overall, this is a well-structured skill that follows the template closely and provides genuine value. However, there are several issues that need to be addressed before merging.

---

1. Marketplace Placement — Wrong Plugin Group

The zyfai-yield entry was added inside the moonpay-skills plugin array. This is a partner skill, not a MoonPay skill. The marketplace.json currently only has one plugin group (moonpay-skills), so either:

• A new plugin group should be created for partner skills (e.g., partner-skills), or
• The repo maintainers should clarify if partner skills belong in the same group.

As it stands, a partner skill sitting inside a group described as "Crypto infrastructure skills for AI agents — wallet management, token trading, cross-chain bridges, fiat on/off ramp, and more via the MoonPay CLI" is misleading.

2. Skill is Heavily Code-Based — Violates "No Code" Principle

This is the biggest concern. The CLAUDE.md states:

Skills are not code — they are instructional guides. All execution happens through CLIs.

This skill contains extensive TypeScript code blocks with SDK imports, async/await patterns, and programmatic API calls:

• import { ZyfaiSDK } from "@zyfai/sdk"
• await sdk.deploySafe(...), await sdk.depositFunds(...), etc.
• import { HDNodeWallet } from "ethers" for key derivation

These are not CLI commands — they are SDK integration code. An agent following this skill would need to write and execute TypeScript programs, which is fundamentally different from running CLI commands. The skill should either:

• Provide a CLI wrapper (does Zyfai have a CLI?), or
• Be explicit that this skill requires the agent to generate and run Node.js scripts, and structure the instructions accordingly (e.g., "Create a script at /tmp/zyfai-deposit.ts with the following content...").

As written, it reads more like SDK documentation than an agent skill.

3. Security Concern — Private Key Handling

The skill instructs the agent to:

1. Export a MoonPay wallet mnemonic (mp wallet export)
2. Derive the private key
3. Pass it to the Zyfai SDK (sdk.connectAccount("<private-key>", 8453))

This workflow has the agent handling raw private keys in plaintext. The skill should include explicit security warnings about:

• Never logging or persisting the private key
• Cleaning up any temporary scripts that contain the key
• The risk inherent in programmatic key extraction

4. curl API Call for Key Creation — Fragile and Undocumented

The API key creation step uses a raw curl command to https://sdk.zyf.ai/api/sdk-api-keys/create. Issues:

• The example email is agent@example.com — is this actually accepted? What email should be used?
• There is no error handling guidance (what if the endpoint returns an error?)
• The response format shown could change — is this a stable API?
• The note "Store the apiKey securely — it cannot be retrieved later" is good, but there is no guidance on WHERE to store it (e.g., ~/.config/zyfai/ would be consistent with other skills' conventions)

5. Missing Config File Convention

Other skills in this repo store config under ~/.config/ (per CLAUDE.md). This skill should define a config location for:

• The Zyfai API key
• Preferred chain/strategy settings

Something like ~/.config/zyfai/config.json would be consistent.

6. PR Title is Misleading

The PR title is fix: add zyfai skill. Adding a new skill is not a "fix" — it should be feat: add zyfai-yield skill.

7. Tags Could Be More Specific

[yield, defi] is quite sparse. Consider adding more discoverable tags: [yield, defi, base, arbitrum, safe, automated, passive-income, zyfai]

8. Minor Issues

• Strategy selection: The skill mentions "conservative" and "aggressive" strategies but doesn't guide the agent on when to recommend which. An agent needs decision criteria.
• "Plasma" chain: This is listed as a supported chain (ID 9745). This doesn't correspond to any well-known chain ID. Is this a private/custom chain? Should be clarified.
• WETH caveat: The note "user must have WETH, not ETH" is good but incomplete — should the skill reference a wrapping step or another skill for converting ETH to WETH?
• Withdraw semantics: sdk.withdrawFunds with undefined as the amount for WETH withdrawal is confusing — explain what undefined means (withdraw all).

---

Summary

Positives:

• Follows the template structure well (frontmatter, overview, prerequisites, workflow, examples, related skills)
• Description is specific about when to trigger
• Cross-references to related MoonPay skills are appropriate
• Marketplace.json was updated
• PR checklist was completed

Must Fix:

1. Address the "no code" principle — this skill is essentially an SDK tutorial, not a CLI-driven skill
2. Add security guidance for private key handling
3. Add config file convention (~/.config/zyfai/)
4. Fix PR title (feat: not fix:)

Should Fix:
5. Clarify marketplace.json placement for partner skills
6. Add strategy selection guidance for the agent
7. Clarify the Plasma chain
8. Add WETH wrapping guidance or cross-reference
9. Expand tags

[kevarifin14]

Grade: D+

Most problematic submission. The entire skill is TypeScript SDK code (@zyfai/sdk, ethers) rather than CLI-driven instructions — fundamentally violates the repo's "skills are not code" principle. Also: raw private key handling with no security guidance, wrong PR title prefix (fix: not feat:), unknown "Plasma" chain, and partner skill misplaced in marketplace.json. Needs a full rewrite as CLI instructions.

[kevarifin14]

Status check

No new commits since last review.

Verification results:

• @zyfai/sdk — confirmed real (npm, v0.2.26, 59 versions, MIT license)

Current grade: D+

The SDK is real, but the skill is still written as TypeScript SDK code, not CLI instructions. This is the core blocker.

To get to A+:

1. Rewrite as CLI instructions — Does Zyfai have a CLI? If not, use curl commands against their API, or wrap the SDK calls in a simple script that the skill instructs the user to install. The SKILL.md itself should not contain SDK code blocks.
2. Fix PR title — fix: → feat: (this is a new skill, not a bug fix)
3. marketplace.json placement — Move into its own plugin block, not inside moonpay-skills
4. Add security guidance — The skill has the agent handling raw private keys and mnemonics. Add warnings.
5. Clarify "Plasma" chain — Chain ID 9745 is not well-known. Link to docs or explain what it is.