Skillv1.0.1

ClawScan security

Solidity Audit Precheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 1:16 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required actions, and tooling are coherent with an automated Solidity pre-audit checklist; it asks for no extra credentials or unusual system access, but it does recommend installing and running third‑party developer tools (including a remote install script) so follow normal caution when installing/executing those tools.
Guidance: This skill appears to do what it advertises: run local static analysis, linting, and AST checks on Solidity code. Before installing or following its install commands: 1) inspect the remote installer (foundry.paradigm.xyz) before running curl | bash and prefer platform packages or pinned installers where possible; 2) install Python/Node/Rust tools in isolated environments (virtualenv, nvm, cargo home) or CI containers to limit system impact; 3) pin tool versions to ensure reproducible results; 4) don't provide any secrets—the skill does not request them and they are unnecessary; 5) treat automated checks as a pre-filter only and still obtain a manual audit for production deployments. If you want higher assurance, ask the author for a signed, versioned install manifest or prefer installing tools from your organization's approved package sources.

Purpose & Capability: okName and description (Solidity pre-audit checklist) match the instructions: static analysis (Slither, Mythril), linting (Solhint), AST analysis (Aderyn), and Foundry workflows are all expected for this purpose. No unrelated capabilities or credentials are requested.
Instruction Scope: okSKILL.md explicitly instructs the agent/operator to enumerate contract files, run analyzers, and inspect project config files (foundry.toml, remappings, package.json). Those actions are within the stated scope and do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism: noteThe skill recommends installing multiple third‑party tools via pip, npm, cargo, and a curl | bash installer for Foundry. These install methods are common for dev tooling but carry higher risk (especially the remote install script). The instructions do not bundle or pin specific release artifacts within the skill itself.
Credentials: okNo environment variables, credentials, or config paths are required by the skill. The operations described act on the local codebase only, which is appropriate for a pre-audit checklist.
Persistence & Privilege: okSkill does not request always-on presence and does not instruct modifying other skills or global agent configuration. Autonomous invocation is allowed by default but not combined with elevated privileges or secret access.