Auto Bug Finder
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Solidity security scanner, but it overreaches by making itself a mandatory all-code gate, running shell tools from an unexpected parent directory, and being hardcoded to a specific AgentEscrow project while advertised more broadly.
Do not install this as a general always-trusted coding policy. If you use it, run it only in a disposable branch of the exact Solidity project you intend to audit, inspect the script paths first, review every generated patch manually, and make sure Hardhat/Slither dependencies are installed from trusted, pinned sources.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may run this tool or block task completion based on the skill author's claimed policy rather than the user's actual request.
The skill tries to impose a mandatory completion gate on all code, not just when the user asks for this scanner.
## Auto-Audit Policy (MANDATORY — All Code) - **All final code** ... must pass Auto Bug Finder before marking complete - **Gate:** 0 Critical, 0 High, 0 Medium findings required
Treat the policy as optional unless it is your organization's explicit policy; the skill should scope this to user-invoked Solidity audits.
Users may believe the tool will audit their project generally, while it may target the wrong files, miss most contracts, or fail unexpectedly.
The implementation is hardcoded to a specific contract and test file, despite the skill being presented as a general Solidity security scanner.
const CONTRACT_PATH = path.join(PROJECT_DIR, 'contracts', 'AgentEscrow.sol'); const TEST_PATH = path.join(PROJECT_DIR, 'test', 'AgentEscrow.test.js');
Make the advertised scope match the code, or require explicit configurable contract/test paths before running.
The script could compile, test, or run tooling in an unintended directory, potentially executing the wrong local project configuration or plugins.
All shell commands run in the parent directory of the script, which may not be the project root described in the usage instructions.
const PROJECT_DIR = path.resolve(__dirname, '..');
...
exec(cmd, {
cwd: PROJECT_DIR,Run only in a disposable checkout, verify the working directory first, and prefer a version that uses an explicit project path or process.cwd() with validation.
An automated fix to smart-contract code could persist and compound across sprints, even if later tests or scans appear clean.
The declared workflow repeatedly applies fixes and reruns checks until a gate passes, but the artifacts do not show per-patch user approval, branch isolation, or rollback controls.
* 3. FIX - Generate and apply patches * 4. VERIFY - Recompile and retest * 5. LOOP - Repeat until clean or max sprints
Require human review of each diff, run on a separate branch, keep backups, and do not deploy changes solely because this script reports a clean gate.
Users may need to install or rely on undeclared npm/pip tooling, which affects reproducibility and provenance.
The registry metadata declares no required binaries, while SKILL.md requires Node.js, a Hardhat project, Slither, and likely coverage tooling.
Required binaries (all must exist): none Required binaries (at least one): none Required env vars: none
Declare required binaries and versions, and install dependencies through a reviewed, pinned setup process.