sablier-create-airdrop
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
castutility from the Foundry toolkit to interact with the blockchain, including gas estimation and transaction broadcasting. It also executes a local Node.js script (generate-merkle-campaign.mjs) to perform Merkle tree calculations. - [EXTERNAL_DOWNLOADS]: The skill manages its own Node.js dependencies (
viem,@openzeppelin/merkle-tree,csv-parse) via npm. It also directs users to official sources for tool installations like Foundry and provides links to Sablier's official documentation. - [DATA_EXFILTRATION]: The skill transmits Merkle tree data to Pinata (
api.pinata.cloud), a well-known IPFS pinning service, to ensure the airdrop data is available for recipients. This is intended functionality and does not involve unauthorized sensitive data access. - [PROMPT_INJECTION]: The skill processes user-provided CSV files for recipient lists, which represents an indirect prompt injection surface. The risk is mitigated by strict validation logic within the
generate-merkle-campaign.mjsscript, which enforces address checksums and numeric amount validation.
Audit Metadata