ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Foundry Solidity

v0.1.0

Build and test Solidity smart contracts with Foundry toolkit. Use when developing Ethereum contracts, writing Forge tests, deploying with scripts, or debuggi...

0· 14·0 current·0 all-time
byMisha Kolesnik@tenequm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions: this is a Foundry (forge/cast/anvil/chisel) development guide. All included commands and references (tests, deploy scripts, anvil cheatcodes) are coherent with that purpose. However, the skill metadata declares no required environment variables or credentials while the SKILL.md repeatedly references sensitive env vars (PRIVATE_KEY, ETHERSCAN_API_KEY, MAINNET_RPC_URL, etc.), which is an inconsistency between advertised requirements and the actual usage in instructions.
Instruction Scope
SKILL.md contains explicit runtime instructions that exercise powerful local dev and chain-interaction operations: reading vm.env* values, broadcasting transactions with --private-key, impersonation (anvil impersonate), setCode/setStorage RPCs, and forking mainnet. These are expected for Foundry usage, but they require caution because they rely on environment secrets and manipulate chain state. The instructions do not instruct reading arbitrary user files or transmitting data to unknown external endpoints beyond typical RPC/explorer services, and they are fairly specific rather than open-ended.
Install Mechanism
No install specification and no code files with executable install steps are present — the skill is instruction-only. That minimizes filesystem/executable risk; nothing is downloaded or written by the skill itself.
!
Credentials
The SKILL.md references many sensitive environment variables and credential names (e.g., PRIVATE_KEY, ETHERSCAN_API_KEY, MAINNET_RPC_URL, SEPOLIA_RPC_URL, DEPLOYER_PRIVATE_KEY, TEST_ADMIN). Yet the skill metadata declares no required env vars or primary credential. This mismatch is concerning because an agent following these instructions may attempt to read environment variables or use secrets that weren’t declared or scoped by the skill metadata. The number and sensitivity of referenced env vars are proportionate to deployment/testing tasks, but they should be declared explicitly so users know the skill will access them.
Persistence & Privilege
always:false and no install steps mean the skill does not request permanent/force-installed presence. Model invocation is allowed (default) but that is normal for skills. The skill does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill is a legitimate and detailed Foundry guide for compiling, testing, debugging, and deploying Solidity contracts. Two things to watch before installing/using it: (1) SKILL.md repeatedly references sensitive environment variables (PRIVATE_KEY, ETHERSCAN_API_KEY, RPC URLs, etc.) but the skill metadata does not declare any required env vars — treat that as a red flag and assume the instructions will try to read those variables if present. (2) The guide describes powerful operations (impersonation, setting code/storage, broadcasting transactions). Only run this skill in a trusted, isolated environment and never expose real private keys to an untrusted agent. Recommendations: (a) do not provide production/private keys to the agent; use ephemeral or empty keys for experimentation; (b) run in a sandboxed environment or CI runner with scoped secrets; (c) if you want to proceed, ask the maintainer to update the skill metadata to explicitly list required env vars and justify their use; (d) review any deployment scripts (foundry.toml and script/*.s.sol) in your repo for vm.env* usage before allowing the agent to run them. If the maintainer confirms this is purely a documentation skill (no autonomous secret access), that would raise confidence to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767rkpnexd3v42a5f830yyvd844hda

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Foundry Solidity Development

Complete guide for building secure, efficient smart contracts with Foundry 1.5.0 and Solidity 0.8.30.

When to Use This Skill

  • Developing Ethereum/EVM smart contracts
  • Writing Forge tests (unit, fuzz, invariant, fork)
  • Deploying contracts with scripts
  • Using Foundry tools (forge, cast, anvil, chisel)
  • Working with foundry.toml, *.t.sol, *.s.sol files
  • Debugging transactions and contract interactions

Quick Start

# Create new project
forge init my-project && cd my-project

# Build contracts
forge build

# Run tests
forge test

# Deploy (dry-run)
forge script script/Deploy.s.sol --rpc-url sepolia

# Deploy (broadcast)
forge script script/Deploy.s.sol --rpc-url sepolia --broadcast --verify

Project Structure

my-project/
├── foundry.toml          # Configuration
├── src/                  # Contracts
│   └── Counter.sol
├── test/                 # Tests (*.t.sol)
│   └── Counter.t.sol
├── script/               # Deploy scripts (*.s.sol)
│   └── Deploy.s.sol
└── lib/                  # Dependencies
    └── forge-std/

Core Commands

Build & Test

forge build                          # Compile
forge test                           # Run all tests
forge test -vvvv                     # With traces
forge test --match-test testDeposit  # Filter by test name
forge test --match-contract Vault    # Filter by contract
forge test --fork-url $RPC_URL       # Fork testing
forge test --gas-report              # Gas usage report

Deployment

# Single contract
forge create src/Token.sol:Token --rpc-url sepolia --private-key $KEY --broadcast

# Script deployment (recommended)
forge script script/Deploy.s.sol:Deploy --rpc-url sepolia --broadcast --verify

# Verify existing contract
forge verify-contract $ADDRESS src/Token.sol:Token --chain sepolia

Cast - Blockchain Interactions

cast call $CONTRACT "balanceOf(address)" $USER --rpc-url mainnet
cast send $CONTRACT "transfer(address,uint256)" $TO $AMOUNT --private-key $KEY
cast decode-tx $TX_HASH
cast storage $CONTRACT 0 --rpc-url mainnet

Anvil - Local Node

anvil                           # Start local node
anvil --fork-url $RPC_URL       # Fork mainnet
anvil --fork-block-number 18000000

Basic Test Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.30;

import {Test, console} from "forge-std/Test.sol";
import {Counter} from "../src/Counter.sol";

contract CounterTest is Test {
    Counter public counter;
    address public user;

    function setUp() public {
        counter = new Counter();
        user = makeAddr("user");
        deal(user, 10 ether);
    }

    function test_Increment() public {
        counter.increment();
        assertEq(counter.number(), 1);
    }

    function test_RevertWhen_Unauthorized() public {
        vm.expectRevert("Unauthorized");
        vm.prank(user);
        counter.adminFunction();
    }

    function testFuzz_SetNumber(uint256 x) public {
        x = bound(x, 0, 1000);
        counter.setNumber(x);
        assertEq(counter.number(), x);
    }
}

Essential Cheatcodes

// Identity & ETH
address alice = makeAddr("alice");          // Create labeled address
deal(alice, 10 ether);                      // Give ETH
deal(address(token), alice, 1000e18);       // Give ERC20

// Impersonation
vm.prank(alice);                            // Next call as alice
vm.startPrank(alice);                       // All calls as alice
vm.stopPrank();

// Time & Block
vm.warp(block.timestamp + 1 days);          // Set timestamp
vm.roll(block.number + 100);                // Set block number

// Assertions
vm.expectRevert("Error message");           // Expect revert
vm.expectRevert(CustomError.selector);      // Custom error
vm.expectEmit(true, true, false, true);     // Expect event
emit Transfer(from, to, amount);            // Must match next emit

// Storage
vm.store(addr, slot, value);                // Write storage
vm.load(addr, slot);                        // Read storage

Deploy Script

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.30;

import {Script, console} from "forge-std/Script.sol";
import {Counter} from "../src/Counter.sol";

contract Deploy is Script {
    function run() external {
        uint256 deployerKey = vm.envUint("PRIVATE_KEY");

        vm.startBroadcast(deployerKey);
        Counter counter = new Counter();
        counter.setNumber(42);
        vm.stopBroadcast();

        console.log("Deployed to:", address(counter));
    }
}

Modern Solidity Patterns (0.8.30)

// Custom errors (gas efficient)
error InsufficientBalance(uint256 available, uint256 required);

// Transient storage (0.8.28+) - cheap reentrancy guard
bool transient locked;
modifier nonReentrant() {
    require(!locked, "Reentrancy");
    locked = true;
    _;
    locked = false;
}

// Immutable variables (cheap reads)
address public immutable owner;

// Named mapping parameters
mapping(address user => uint256 balance) public balances;

// require with custom error (0.8.26+)
require(amount <= balance, InsufficientBalance(balance, amount));

Configuration (foundry.toml)

[profile.default]
src = "src"
out = "out"
libs = ["lib"]
solc = "0.8.30"
optimizer = true
optimizer_runs = 200
evm_version = "prague"

fuzz.runs = 256
invariant.runs = 256
invariant.depth = 50

[rpc_endpoints]
mainnet = "${MAINNET_RPC_URL}"
sepolia = "${SEPOLIA_RPC_URL}"

[etherscan]
mainnet = { key = "${ETHERSCAN_API_KEY}" }
sepolia = { key = "${ETHERSCAN_API_KEY}" }

[profile.ci]
fuzz.runs = 10000
invariant.runs = 1000

References

For detailed guides, see:

  • Testing: See references/testing.md for complete testing patterns (unit, fuzz, invariant, fork), all cheatcodes, and best practices
  • forge-std API: See references/forge-std-api.md for complete library reference (150+ functions)
  • Solidity 0.8.30: See references/solidity-modern.md for new features and modern syntax
  • Deployment: See references/deployment.md for scripting, verification, and multi-chain deployment
  • Configuration: See references/configuration.md for all foundry.toml options
  • Gas Optimization: See references/gas-optimization.md for storage packing, compiler settings, and profiling
  • Patterns: See references/patterns.md for access control, reentrancy guards, factories, and common idioms
  • Security: See references/security.md for vulnerabilities, defensive patterns, and audit preparation
  • Resources: See references/resources.md for official docs, libraries, security tools, and learning paths
  • Debugging: See references/debugging.md for traces, breakpoints, console.log, and the interactive debugger
  • Dependencies: See references/dependencies.md for forge install, remappings, and Soldeer package manager
  • CI/CD: See references/cicd.md for GitHub Actions workflows, caching, and gas tracking
  • Chisel: See references/chisel.md for the interactive Solidity REPL
  • Cast Advanced: See references/cast-advanced.md for decoding, encoding, wallet management, and batch operations
  • Anvil Advanced: See references/anvil-advanced.md for impersonation, state manipulation, and mining modes

Files

17 total
Select a file
Select a file to preview.

Comments

Loading comments…