ClawHub
Back to skill

Security audit

ERC20 Tokenomics Builder

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ERC20 tokenomics helper with disclosed, purpose-aligned blockchain deployment examples, but users should treat the fund-moving snippets carefully.

Install only if you need ERC20 launch-planning guidance. Before using any script with real funds, verify the network, signer, beneficiary addresses, token address, token amounts, and vesting start/duration semantics on a testnet or dry run, and never paste private keys into chats, logs, or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments describe a model with a cliff followed by linear vesting, which implies the returned values should correctly encode that schedule. The function computes `start` as TGE plus cliff and `duration` as only `vest_months`, which means the effective schedule begins after the cliff rather than representing a combined cliff-plus-vesting interval; this is a semantic mismatch between the documentation and the actual returned parameters for `VestingWallet`.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This markdown includes executable deployment examples that create vesting wallets and transfer tokens to them in batch, which can directly affect user funds if the input JSON or environment variables are wrong. The surrounding documentation does not provide any user-facing warning to verify addresses, timestamps, allocations, network, or to test on a non-production environment before execution.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.