Lance
v0.0.1Web3 bug bounty and protocol security agent for evidence-backed vulnerability discovery and reporting. Use when auditing smart contracts, DeFi protocols, wal...
⭐ 0· 333·1 current·1 all-time
byEmperor Prime@shaniidev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Web3 bug bounty and protocol security) matches the included artifacts: gating workflow docs, vulnerability playbooks, report templates, and helper scripts (scope parsing, target normalization, report generation, triage simulation, adapter). No unrelated dependencies or environment variables are requested.
Instruction Scope
SKILL.md defines a tight 7-gate auditing workflow and references the shipped scripts and reference docs. The instructions only reference local files (scope files, repo paths, finding JSON) and the shipped scripts; they do not instruct the agent to read unrelated host secrets, call hidden external endpoints, or exfiltrate data. The skill also explicitly requires scope authorization before testing, which is appropriate.
Install Mechanism
This is instruction-plus-scripts with no install spec; scripts are plain Python files that operate on local files/JSON and produce reports. No download-from-URL or binary install steps are present, which minimizes supply-chain risk.
Credentials
No required environment variables, credentials, or config paths are declared. The scripts operate on user-provided files (scope, targets, findings) and do not require secrets. There are no unrelated or excessive credential requests.
Persistence & Privilege
The skill does not set always: true and does not request system-wide configuration changes. Agent interface files set allow_implicit_invocation: true for several agents (enable implicit/autonomous invocation). This is expected for skills intended for on-demand auditing, but be aware implicit invocation allows agents to call the skill when they think it's helpful—review prompts and scope authorization to avoid accidental use on unauthorized targets.
Assessment
Lance appears to be a coherent local auditing/reporting toolkit: it parses scope files, normalizes targets, adapts scanner outputs, simulates triage, and generates platform-specific reports. Before installing or invoking it: 1) Only run against targets you explicitly own or have written permission to test (the SKILL.md enforces a scope gate). 2) The scripts read local files (scope docs, repo paths, finding JSON); do not supply private keys, RPC credentials, or other secrets as input. 3) Because agents are allowed implicit invocation, check your agent prompts/permissions so the skill isn't invoked on unintended data. 4) If you plan to run the Python scripts, review them locally and run them in an isolated environment (virtualenv/container) to keep scope-limited operations separated from sensitive host files. Overall the package is consistent with its stated purpose and contains no obvious hidden network endpoints, credential exfiltration, or unusual install steps.Like a lobster shell, security has layers — review code before you run it.
latestvk97bs0fkscp6t5ncvhgyaqn6qx81x4ez
License
MIT-0
Free to use, modify, and redistribute. No attribution required.