foundry-solidity
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Foundry/Solidity development guide, but it includes wallet-key and broadcast examples that can create real blockchain transactions if used.
Install this only if you intend to use Foundry for smart-contract development. Keep wallet secrets out of repositories and shell history, prefer testnet or limited deployer keys, dry-run deployments before broadcasting, and require explicit approval before any command that signs, sends, verifies, or deploys on-chain.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a funded wallet key is supplied, the agent could help run commands that spend gas or transfer assets.
The skill explicitly supports using a wallet private key for deployment. This is expected for smart-contract deployment, but a private key can authorize irreversible transactions if misused.
PRIVATE_KEY ... description: Deployer signing key. Use throwaway/testnet keys.
Use a testnet or least-privilege deployer key, avoid pasting seed phrases or main wallets, and require explicit approval before any signing or broadcast action.
A mistaken network, recipient, amount, or contract script could deploy or send transactions on the wrong chain.
The skill documents Foundry broadcast commands that submit on-chain transactions. This is purpose-aligned, but on-chain actions can be costly or irreversible.
forge script script/Deploy.s.sol --rpc-url sepolia --broadcast --verify
Dry-run first, verify chain IDs and RPC URLs, review generated transactions, and only allow `--broadcast`, `forge create`, or `cast send` after explicit user confirmation.