Atlas Smart Contract Vulnerability Pattern Scanner
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: atlas-vuln-scanner Version: 0.1.0 The bundle provides a legitimate static analysis tool for scanning Solidity smart contracts for common vulnerability patterns using regex. The Python script (scripts/atlas_vuln_scanner.py) is transparent, contains no network or shell execution logic, and limits its operations to local file reading and report generation. The instructions in SKILL.md include proactive security guardrails, such as advising the agent not to disclose findings externally without human approval, and the documentation (MONETIZATION-PLAN.md, PUBLISH-CHECKLIST.md) is consistent with a standard 'freemium' software distribution model.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a scanned repository contains malicious comments or text, those snippets could appear in the report and should be treated as evidence, not instructions.
The scanner copies source-code context from the target repository into generated reports that an agent is instructed to read.
context='\n'.join(lines[max(0,idx-2):min(len(lines),idx+1)]) ... ```solidity\n{f['context']}\n```Treat all scanned repo content and report snippets as untrusted source material; ignore any instructions embedded in code comments or files.
Pointing it at a broad or sensitive directory may scan more code than intended, and report files may include source snippets from private repos.
The script recursively scans Solidity files and writes local report artifacts to the chosen output directory.
for p in target.rglob('*.sol'): ... (out/'scan-report.md').write_text(...) ... (out/'scanner-log.json').write_text(...)Run it only on repositories you intend to review and choose a dedicated output directory for generated reports.
A user could be confused into thinking OAuth or API tokens are needed for scanning, but they are only relevant if publishing a skill through ClawHub.
Credential-related text appears in publishing documentation, while the scanner runtime itself declares no credentials and the code does not use tokens.
Login is GitHub OAuth; CLI uses API tokens after login.
Do not provide OAuth/API tokens for normal scanner use; only authenticate if you separately intend to publish or manage ClawHub skills.