ClawHub

Smart Contract Audit

v1.0.0

Audit Solidity contracts for common vulnerabilities and design risks.

0· 36·0 current·0 all-time
byMauricio Z. Filho@mzfshark

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mzfshark/axodus-smartcontracts-audits.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Smart Contract Audit" (mzfshark/axodus-smartcontracts-audits) from ClawHub.
Skill page: https://clawhub.ai/mzfshark/axodus-smartcontracts-audits
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install mzfshark/axodus-smartcontracts-audits

ClawHub CLI

Package manager switcher

npx clawhub@latest install axodus-smartcontracts-audits
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name, description, and runtime instructions all align: the skill describes checklist-based auditing of Solidity contracts and requires only contract sources as input. Minor metadata inconsistencies exist (author listed as "RedHat Dev" in SKILL.md/_meta.json while registry owner is a different ID), which is a provenance/labeling issue but not a technical mismatch with functionality.
Instruction Scope
SKILL.md is explicit and scoped to analyzing the provided `scope` files, mapping entrypoints/roles, checklist review, and producing findings. It does not instruct the agent to read unrelated files, access external endpoints, or exfiltrate data. It also contains safety guidance not to provide exploit code for real targets.
Install Mechanism
There is no install spec and no code files. This is instruction-only, so nothing will be downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential request for the described audit functionality.
Persistence & Privilege
The skill does not request always:true and is user-invocable. The skill allows normal autonomous model invocation (platform default), which increases blast radius only in combination with other risks — no such risks are present here.
Assessment
This skill is instruction-only and appears coherent for auditing Solidity source files. However: (1) verify the skill author/owner provenance before trusting reports (metadata shows inconsistent author/owner labels); (2) do not feed any private keys, mnemonic phrases, or other secrets as part of the 'scope' input — audits should only include contract source and harmless test artifacts; (3) treat the generated audit as advisory: cross-check findings with standard static analyzers (Slither, Mythril, Echidna) and manual review before deploying; (4) although the SKILL.md asks not to provide exploit code, the model could still produce PoC snippets — review outputs for disallowed content and never run exploit code against real systems. If you need stronger assurance, prefer a skill with verifiable source (GitHub repo, maintainer identity) or run audits locally using known open-source tools.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jdcsq0dpjga3vwh0cfk0k185fmwe
36downloads
0stars
1versions
Updated 20h ago
v1.0.0
MIT-0
Mauricio Z. Filho@mzfshark
latest
Download

SKILL: smart-contract-audit

Purpose

Perform a deterministic, evidence-based vulnerability review of Solidity contracts and produce a prioritized audit report with concrete fixes.

When to Use

  • Before any deployment (even testnet) of value-bearing contracts.
  • After changing access control, external calls, accounting, or token logic.
  • When integrating with external protocols.

Inputs

  • scope (required, string[]): contract files and dependencies.
  • threat_model (optional, string): assets at risk, attacker capabilities, trust assumptions.
  • deployment_assumptions (optional, string): upgradeability, admin keys, multisig/DAO governance.

Steps

  1. Map the system:
    • entrypoints (public/external)
    • privileged roles
    • external calls and token transfers
  2. Run checklist-based review:
    • access control (missing/overbroad roles)
    • reentrancy surfaces (external calls, callbacks)
    • accounting correctness (under/overflow, rounding, precision, fee logic)
    • ERC standard compliance (events, return values)
    • upgradeability hazards (storage layout, initializer patterns)
    • DoS vectors (unbounded loops, griefing)
  3. Identify invariants and where they can break.
  4. Produce findings with reproduction notes and recommended fixes.

Validation

  • Every finding includes:
    • impacted function(s)
    • why it’s exploitable or risky
    • concrete remediation guidance
  • Non-issues are explicitly marked as “informational” when needed.

Output

Audit report (example schema):

summary: "<system overview + top risks>"
findings:
  - id: "SC-001"
    severity: "critical|high|medium|low|info"
    title: "<short>"
    location: ["contracts/X.sol:123"]
    description: "<what is wrong>"
    impact: "<what can happen>"
    recommendation: "<how to fix>"
assumptions: ["..."]

Safety Rules

  • Do not provide exploit code for real targets.
  • Do not claim “secure” or “audited” as an absolute; report risk and evidence.
  • Escalate to stricter review if funds or governance are at stake.

Example

Scope: ["contracts/Vault.sol", "contracts/Token.sol"] Output: includes reentrancy review of withdraw() and role boundaries for setFee().

Comments

Loading comments...