ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

solidity-audit

v1.0.1

Solidity smart contract security audit assistant following EEA EthTrust V3 specification. Performs structured audit workflow: vulnerability scanning, securit...

0· 79·0 current·0 all-time
byJango@xiaominger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents: SKILL.md, audit templates, checklists, and a small init script all align with a structured Solidity audit workflow. Required env, binaries, and config paths are empty (reasonable for an instruction-first audit helper).
Instruction Scope
Runtime instructions stay within audit scope (static analysis, tests, manual review, report generation). The SKILL.md asks the user/agent to examine project source, compiler settings, docs, and run audit tools — all expected for this purpose. It does not instruct exfiltration or accessing unrelated system credentials.
Install Mechanism
The registry has no install spec, but SKILL.md includes commands that fetch and install third‑party tooling (pip install slither-analyzer, cargo install aderyn, and a curl-based Foundry installer). These are common for this domain but involve network downloads and running remote scripts; users should verify sources and versions before executing.
Credentials
The skill declares no required credentials or config paths and the included files do not request secrets. Note: actual audits require access to the project's source (which may contain secrets or keys); only provide code you control and strip unrelated sensitive files before running automated scans.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide settings, and the included script only scaffolds a local audit project directory. No persistent agent privileges are requested.
Assessment
This skill appears coherent and appropriate for performing Solidity audits. Before installing or running its advised commands: 1) review any remote installer scripts (the Foundry curl installer) and prefer official sites/releases; 2) pin and verify tool versions (pip/cargo packages) to avoid unexpected updates; 3) run installations and scans in an isolated environment (container/VM) to limit risk; 4) do not upload private keys, .env files, or unrelated secrets as part of the code to be audited; and 5) inspect the included scripts (scripts/init_audit.py) to confirm they only create local scaffolding (they do). If you want higher assurance, ask the publisher for a signed release or run the toolchain installs manually under your control.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yv7573vw14azygzjb2ssj5839t6j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments