ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Bug Finder

Iteratively scans, analyzes, fixes, and verifies Solidity contracts using Hardhat and Slither until no critical, high, or medium security bugs remain or max...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 21 · 0 current installs · 0 all-time installs
by@jengajojo
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and code both describe running Hardhat, Slither, coverage and heuristics to audit Solidity contracts, which is coherent with the skill's name. However the registry metadata claims no required binaries or env vars while the instructions explicitly require Node.js, npx/hardhat, and Slither; that mismatch is unexpected and should have been declared in metadata.
!
Instruction Scope
The runtime instructions tell the user to copy the script into their contract project and run it, and the script runs shell commands (npx hardhat, slither, coverage) and reads/writes project files. The code sets PROJECT_DIR = path.resolve(__dirname, '..'), which likely makes the script operate in the parent directory of where the file is placed — this contradicts the Quick Start and can cause scanning/changes outside the intended project. The script executes arbitrary shell commands via exec, reads contract/test files, and writes patch and report files; these are expected for an auditor but the directory-behavior bug increases risk of unintended scope.
Install Mechanism
No installer is provided (instruction-only plus included script), so nothing is automatically downloaded or installed by the skill itself. The script does call external tools (npx, slither) at runtime, which are external dependencies the user must provide; no remote install URLs or archives were observed in the manifest.
Credentials
The skill declares no required environment variables which aligns with metadata, but the script launches child processes with env: { ...process.env, ...options.env } (inheriting the whole environment). That is typical for running tooling, but because the script executes shell commands and may surface outputs, be aware that sensitive environment variables from the runner will be present in subshells and could appear in logs or be incidentally used by tools. Also metadata omission of required tooling (Hardhat/Slither) is a proportionality/documentation issue.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system privileges, and writes outputs only into its own patches/ and FINAL-REPORT.md files. No evidence of modifying other skills or global agent settings was found. However, because the script may operate in the wrong directory (see instruction scope), those writes could land in an unexpected location.
What to consider before installing
Do not run this script on sensitive repositories or on your primary workstation without review. Specific recommendations: 1) Inspect the full auto-bug-finder.js file (it was truncated in the package) to ensure there are no network exfiltration calls or hidden commands. 2) Fix/verify the PROJECT_DIR logic (script uses path.resolve(__dirname, '..')) — either place the file where the script expects, or change it to use process.cwd() so it runs in your current project root. 3) Run the tool in an isolated environment (throwaway VM or container) with only the needed tooling installed (Node 18+, Hardhat via npx, Slither via pip), and with sensitive env vars removed. 4) Update metadata/README to declare required binaries (npx/hardhat, slither) so you can provision them explicitly. 5) Backup the repo or use a git branch before letting the script apply patches. 6) If you want higher assurance, run the script with verbose logging redirected to a file you control, and search the code for any outbound network calls or invocation of curl/wget/http(s) before trusting it on production code. If you want, I can scan the remaining truncated portion of the script for suspicious patterns if you paste it.
auto-bug-finder.js:39
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9789wf19j3qsaegprndxe0s39830bt1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Auto Bug Finder — Code Security Scanner

Iterative, LLM-inspired bug detection and fixing system for production code. Currently supports Solidity (Hardhat + Slither). Extensible to Node.js, Python, and other stacks. Inspired by Andrej Karpathy's methodology: analyze → find → fix → test → repeat until clean.

What It Does

Runs multi-tool security scans in iterative sprints:

  1. Scan — Compiles, runs tests, runs static analysis (Slither for Solidity), checks coverage
  2. Analyze — Parses all tool outputs into structured findings (Critical/High/Medium/Low/Info)
  3. Fix — Generates patches for each finding with documentation
  4. Verify — Recompiles, retests, rescans to confirm fixes
  5. Loop — Repeats until 0 Critical/High/Medium findings OR 10 sprints max

When To Use

  • Before marking any Solidity contract as complete (mandatory per Netrix policy)
  • Before mainnet deployment — catch issues cheaply on testnet
  • After major refactors — verify no regressions
  • As part of CI/CD — automated security gate

How To Use

Quick Start

# Copy the skill into your contract project
cp skills/auto-bug-finder/auto-bug-finder.js projects/my-contract/auto-bug-finder.js

# Run from the project root (where hardhat.config.js lives)
cd projects/my-contract
node auto-bug-finder.js

Requirements

  • Node.js 18+
  • Hardhat project with existing tests
  • Slither (pip install slither-analyzer)
  • Solidity 0.8.x contracts

Output

The script creates in auto-bug-finder/:

  • FINAL-REPORT.md — Executive summary with all findings
  • sprint-results.json — Detailed per-sprint data
  • patches/patch-N.md — Per-finding documentation with fix rationale

Customization

Edit the config at the top of auto-bug-finder.js:

const CONFIG = {
  contractDir: 'contracts',      // Solidity source directory
  testFile: 'test/AgentEscrow.test.js',  // Test file to run
  maxSprints: 10,                // Safety limit
  severityGate: ['Critical', 'High', 'Medium'],  // Stop when these are 0
  heuristics: true,              // Enable custom heuristic checks
};

Heuristic Checks (Beyond Slither)

  • Missing zero-address validation on sensitive parameters
  • Missing event emissions on state changes
  • Self-escrow / self-interaction risks
  • Unreachable enum states
  • State transition completeness
  • Access control gaps

Auto-Audit Policy (MANDATORY — All Code)

  • All final code (smart contracts, APIs, services, frontends) must pass Auto Bug Finder before marking complete
  • Gate: 0 Critical, 0 High, 0 Medium findings required
  • Max Sprints: 10 (safety limit)
  • Output: FINAL-REPORT.md in project auto-bug-finder/ directory
  • PM cron checks for FINAL-REPORT.md before allowing completion mark

First Run: Agent Escrow (2026-03-16)

SprintFindingsCriticalHighMediumLowInfo
1700025
27 (same)00025

Result: ✅ LOW RISK — 2 improvements applied (removed unused Status.Created, added SelfEscrow check)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…