Upgrade Solidity Contracts
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be an instruction-only Solidity upgrade guide, but smart-contract upgrades are high-impact and the source is not verified in the provided metadata.
This skill looks purpose-aligned and instruction-only. Before installing or using it for real deployments, verify the guidance against official OpenZeppelin sources and ensure any deployment or upgrade transaction is explicitly reviewed by the contract owner or security team.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unreviewed upgrade could alter a deployed contract, break storage compatibility, or affect assets and users depending on that contract.
The skill is meant to guide deployment and upgrade workflows that can change live smart-contract behavior. This is purpose-aligned, but such actions are high-impact if followed without human review.
use the Hardhat or Foundry upgrades plugins ... validate upgrade safety ... manage proxy deployments and upgrades
Use the skill as guidance, but require explicit human review for deployment or upgrade transactions, test on a fork or testnet first, and use standard controls such as multisig, timelocks, and upgrade validation.
Choosing the wrong owner or admin could give the wrong party control over contract upgrades.
The skill includes instructions about assigning upgrade-control ownership. This is expected for proxy administration, but the selected owner address directly controls future upgrades.
The second constructor parameter is the owner address for that auto-deployed `ProxyAdmin` ... Transfer of upgrade capability is handled exclusively through `ProxyAdmin` ownership.
Verify all owner/admin addresses before deployment, prefer audited multisig ownership for production contracts, and document who can authorize upgrades.
Users may not be able to confirm that the guidance actually comes from the claimed or expected project source.
The registry metadata does not provide a source repository or homepage to verify provenance, even though the skill covers security-sensitive smart-contract upgrade guidance.
Source: unknown; Homepage: none
Cross-check important upgrade guidance against official OpenZeppelin documentation and your project’s audited deployment process before relying on it.