Setup Solidity Contracts
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Solidity setup guide, but users should review the package-install and remote installer commands before running them.
This looks safe as an instruction-only setup guide. Before using it, review the shell and package installation commands, verify the official Foundry and OpenZeppelin sources, and make sure the commands are run only in the intended project directory.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands changes the user's local project dependencies and relies on external package sources.
The skill directs users to install third-party packages from npm and GitHub-based Foundry dependencies. This is purpose-aligned for a Solidity setup guide, and the Foundry instructions explicitly recommend pinning a release tag.
npm install @openzeppelin/contracts ... forge install OpenZeppelin/openzeppelin-contracts@v<VERSION>
Verify package names and sources, prefer pinned versions where practical, and review dependency changes before committing or deploying.
If the user runs it, a remote installer can modify the local development environment.
The Foundry setup uses a remote shell installer. It is presented as a user-directed setup step and is central to the skill's purpose, but it still executes downloaded code on the user's machine.
curl -L https://foundry.paradigm.xyz | bash foundryup
Run the installer only after confirming the URL is the official Foundry source and understanding what the installer does.