Atlas Smart Contract Vulnerability Pattern Scanner
PassAudited by ClawScan on May 2, 2026.
Overview
This appears to be a benign local Solidity scanning skill, with ordinary caution needed around what repo you scan and some non-runtime publishing/paid-service documentation.
Reasonable to install for local first-pass Solidity triage. Scan only repos you intend to review, keep outputs private for private code, ignore any instructions embedded in scanned files, and do not provide OAuth tokens or make purchases unless you separately choose to use Atlas or ClawHub publishing services.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a scanned repository contains malicious comments or text, those snippets could appear in the report and should be treated as evidence, not instructions.
The scanner copies source-code context from the target repository into generated reports that an agent is instructed to read.
context='\n'.join(lines[max(0,idx-2):min(len(lines),idx+1)]) ... ```solidity\n{f['context']}\n```Treat all scanned repo content and report snippets as untrusted source material; ignore any instructions embedded in code comments or files.
Pointing it at a broad or sensitive directory may scan more code than intended, and report files may include source snippets from private repos.
The script recursively scans Solidity files and writes local report artifacts to the chosen output directory.
for p in target.rglob('*.sol'): ... (out/'scan-report.md').write_text(...) ... (out/'scanner-log.json').write_text(...)Run it only on repositories you intend to review and choose a dedicated output directory for generated reports.
A user could be confused into thinking OAuth or API tokens are needed for scanning, but they are only relevant if publishing a skill through ClawHub.
Credential-related text appears in publishing documentation, while the scanner runtime itself declares no credentials and the code does not use tokens.
Login is GitHub OAuth; CLI uses API tokens after login.
Do not provide OAuth/API tokens for normal scanner use; only authenticate if you separately intend to publish or manage ClawHub skills.