Token Vesting
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only Sablier vesting skill is coherent and discloses its wallet/RPC needs, but it can create irreversible on-chain token transactions so users should review each action carefully.
Install only if you are comfortable using an agent to help prepare Sablier transactions. Prefer a hardware wallet or encrypted keystore, never paste a private key into chat, treat RPC URLs with API keys as secrets, and manually confirm every recipient, amount, token, chain, contract address, and vesting schedule before signing. The provided SKILL.md content was truncated, so inspect the full instructions before using it with valuable mainnet funds.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken chain, token, recipient, amount, approval, or schedule could lock or move tokens incorrectly, and blockchain transactions are often difficult or impossible to reverse.
The skill is intended to prepare or run on-chain actions that can approve, lock, withdraw, or otherwise manage ERC-20 token streams. That is purpose-aligned, but high-impact if parameters are wrong.
Use this skill when the user asks you to: Create a token vesting stream ... Lock tokens in a vesting contract ... Cancel, withdraw from, or manage an existing Sablier stream
Before sending any transaction, verify the chain, contract address, token address, recipient, amount, timing, and calldata. Prefer simulation or dry-run steps and require explicit user confirmation for each signed transaction.
The signing key or wallet can control funds; if exposed or misused, assets could be transferred or approved without recovery.
The skill needs a wallet signing method to perform the requested Sablier transactions. It includes explicit private-key handling guidance, making the credential use disclosed and purpose-aligned.
Always recommend the safest available signing method ... Hardware wallet ... Foundry keystore ... Environment variable: `--private-key $ETH_PRIVATE_KEY`
Use a hardware wallet or Foundry encrypted keystore for mainnet funds. Do not paste private keys into chat, avoid raw private-key command arguments where possible, and use a low-value or dedicated wallet for testing.