ClawHub

DeFi Security Audit

v1.1.0

Analyze a DeFi protocol for vulnerabilities, mechanism safety, and risk factors. Use when the user wants to audit a DeFi project, check protocol security, or...

1· 30·0 current·0 all-time
by@truenorth-lj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactions
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the observed behavior. Required binaries (curl, jq) and the included helper script (scripts/goplus-check.sh) are directly related to calling public DeFiLlama and GoPlus APIs and parsing JSON — appropriate for a research/audit skill. No unrelated cloud credentials, config paths, or opaque dependencies are requested.
Instruction Scope
SKILL.md instructs the agent to run web searches, call DeFiLlama and GoPlus public APIs (via curl), and optionally run the included goplus-check.sh script. It does not instruct reading system credential files or environment variables beyond what is declared. Note: the skill's allowed-tools include Write/Edit and Bash so it can create/write audit reports in the agent workspace — expected for a report generator, but be aware it can modify files in its working directory.
Install Mechanism
No install spec; instruction-only skill with one local script. Nothing is downloaded from arbitrary URLs and no archives will be extracted. This is the lowest-risk install posture for a skill that performs web queries and local script calls.
Credentials
The skill requires no environment variables or credentials. Its use of public APIs (DeFiLlama, GoPlus) matches the declared purpose; GoPlus is documented as free/no-key. No unrelated secrets or cross-service credentials are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill can run autonomously per platform defaults, but it does not request permanent system presence or modify other skills' configs. The primary privilege is the ability to write files in the agent workspace (report output), which is appropriate for this use case.
Assessment
This skill is internally consistent and uses public data sources (DeFiLlama, GoPlus) plus a local helper script to produce audit reports. Before installing: (1) review scripts/goplus-check.sh to confirm it only calls the documented GoPlus endpoints (the repo includes that script), (2) be aware the skill will perform network requests and may write reports to the agent workspace (it has Write/Edit in allowed-tools), and (3) understand this is a research tool — not a replacement for a formal smart-contract audit. Also note GoPlus has limited chain support (no Solana) and may have undocumented rate limits; results should be cross-checked with other sources for high-stakes decisions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784ar837tvsnwts1y7qy8h4d848p5g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq

Comments