Audit and analyze Solidity smart contracts for security vulnerabilities. Use when reviewing, auditing, or analyzing smart contracts, Solidity code, DeFi prot...
Security Analysis
high confidenceThe skill's requested actions, files, and runtime instructions are coherent with a smart-contract auditing workflow; nothing requested is disproportionate to that purpose, but you should inspect/install scripts and run audits in an isolated environment before use.
The name/description match the behavior: the skill runs static analysis (Slither, Aderyn), collects repo docs/tests/deploy scripts, classifies protocol types, runs multi-run LLM analyses, and generates reports/PoCs. All required files and docs align with an audit-oriented skill and no unrelated credentials, binaries, or config paths are requested.
SKILL.md's runtime instructions are narrowly focused on auditing: resolving the target (file/dir/GitHub), detecting framework (Foundry/Hardhat), installing tools via the provided script, running static analyzers in parallel, analyzing docs/deploy scripts/tests, running coverage/storage-layout checks, spawning specialist/triager agents, and consolidating results. It explicitly prioritizes deploy scripts and tests (expected for audits). The skill does instruct network actions (git clone, web searches for incident dbs) and to run compilers/Foundry commands which may require network access or RPC endpoints — this is expected for the stated purpose but relevant to operational safety.
Registry has no formal install spec (instruction-only), but the package includes scripts/scripts/install-tools.sh and tool-run scripts. The references indicate installation via pip (slither/solc-select), cargo/npm (aderyn), and npm tooling for other analyzers. These are standard package-manager installs (moderate risk compared to purely instruction-only skills). Because the skill will execute an included install script that fetches tooling from public package managers, you should review the script contents before running in production. No arbitrary URL downloads were declared in the manifest.
The skill declares no required environment variables, no primary credential, and no config paths. The SKILL.md does mention optional behaviors that could use RPC/network access for Foundry coverage or tests, but it does not request keys or secrets. This is proportionate to an audit skill. The agent may ask the user-provided target (a repo) for context, but that is normal.
The skill is not always-on (always:false) and uses the default autonomous invocation setting. It does not request to modify other skills or system-wide configs. The included scripts and multi-agent orchestration run within the audit context; no elevated or persistent platform privileges are requested.
Guidance
This skill appears coherent for smart-contract audits, but take these precautions before running it: - Inspect scripts/install-tools.sh and the run-* scripts to confirm they only call trusted package managers (pip/cargo/npm) or official project releases and do not curl/execute unknown binaries or contact untrusted endpoints. - Run the skill in an isolated/sandboxed environment (container or VM) because it compiles code, installs tooling, clones repos, and may run tests that execute arbitrary code from the target repository. - Do not provide private RPC endpoints, API keys, or other secrets to the skill; Foundry coverage or forked tests may request an RPC but you should supply a read-only/public endpoint or none at all. - Expect the skill to perform network access (git clone, package installs, web searches). If your policy restricts outbound network access, block or review those steps. - Review any generated PoC test code before executing it on a live network; PoCs may attempt state-changing transactions if run outside a test/fork environment. If you want extra assurance, paste the contents of scripts/install-tools.sh and scripts/run-*.sh here and I can inspect them for suspicious downloads or commands before you run the skill.
Latest Release
v3.1.0
v3.1
Popular Skills
Published by @cornbrother0x on ClawHub
