ClawHub

Token Vesting

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Sablier token-vesting helper, but it prepares high-impact blockchain transactions that users must review before signing.

Install only if you intend to prepare Sablier vesting transactions. Use a hardware wallet or encrypted Foundry keystore when possible, never paste private keys into chat, and manually verify every address, network, token amount, vesting schedule, and cancelability setting before signing. Treat cancel and renounce as serious actions; renounce permanently gives up cancellation rights.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides executable approval and stream-creation commands that can move or lock real ERC-20 funds, but it does not pair those steps with a prominent transaction-safety warning to verify chain, token, recipient, amount, contract address, and vesting parameters before signing. In a financial skill, omission of explicit confirmation guidance materially increases the risk of irreversible user loss from typos, malicious prompting, or operator misunderstanding.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The management section includes `cancel` and especially `renounce` operations without a strong inline warning about destructive consequences. `renounce` is explicitly irreversible and `cancel` can materially alter token custody and vesting outcomes, so presenting them as routine commands can lead users to permanently change rights or recoverability without understanding the impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal