Upgrade Solidity Contracts
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: upgrade-solidity-contracts Version: 1.0.1 The skill bundle provides legitimate documentation for Solidity contract upgrades but includes a high-risk instruction in SKILL.md for the agent to execute a Bash command using 'node -e'. This command calculates ERC-7201 storage slots and takes a namespace ID as an argument. While the cryptographic logic is correct, instructing an agent to construct and run shell commands with variable inputs introduces a significant shell injection vulnerability. No evidence of intentional malice, data exfiltration, or backdoors was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unreviewed upgrade could alter a deployed contract, break storage compatibility, or affect assets and users depending on that contract.
The skill is meant to guide deployment and upgrade workflows that can change live smart-contract behavior. This is purpose-aligned, but such actions are high-impact if followed without human review.
use the Hardhat or Foundry upgrades plugins ... validate upgrade safety ... manage proxy deployments and upgrades
Use the skill as guidance, but require explicit human review for deployment or upgrade transactions, test on a fork or testnet first, and use standard controls such as multisig, timelocks, and upgrade validation.
Choosing the wrong owner or admin could give the wrong party control over contract upgrades.
The skill includes instructions about assigning upgrade-control ownership. This is expected for proxy administration, but the selected owner address directly controls future upgrades.
The second constructor parameter is the owner address for that auto-deployed `ProxyAdmin` ... Transfer of upgrade capability is handled exclusively through `ProxyAdmin` ownership.
Verify all owner/admin addresses before deployment, prefer audited multisig ownership for production contracts, and document who can authorize upgrades.
Users may not be able to confirm that the guidance actually comes from the claimed or expected project source.
The registry metadata does not provide a source repository or homepage to verify provenance, even though the skill covers security-sensitive smart-contract upgrade guidance.
Source: unknown; Homepage: none
Cross-check important upgrade guidance against official OpenZeppelin documentation and your project’s audited deployment process before relying on it.