技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.3
统计:⭐ 0 · 573 · 2 current installs · 2 all-time installs
⭐ 0
安装量(当前) 2
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:aviclaw/solidity-guardian
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's code broadly matches a Solidity scanner, but there are multiple inconsistencies (missing/mismatched files referenced in the docs, and an installer that runs pip commands) that merit caution before installing or running it.
目的
The name/description (Solidity security analysis) aligns with the provided analyzer.js and slither-integration.js which implement pattern-based checks and optional Slither integration. This is coherent for an on-repo static scanner + optional Slither. However, the SKILL.md references scripts/files that are not present (analyze.js, reporter.js, hardhat-plugin), indicating the documentation and exported API may not match the shipped code.
说明范围
Instructions are about analyzing local smart-contract source and generating reports, which is appropriate. They do not request secrets. Concerns: SKILL.md examples call node skills/solidity-guardian/analyze.js and require('./reporter') / hardhat plugin paths that are not in the file manifest. The runtime code (slither-integration.js and analyzer.js) will read project files, create a temporary JSON in /tmp, and may invoke system commands (slith…
安装机制
No formal install spec is declared (instruction-only), which is lowest-risk. The included slither-integration.js, however, can auto-install Slither by running pipx/pip3/python3 -m pip commands via execSync. That behavior is optional (triggered by --install-slither) but will execute network installs and may modify the environment. This is expected for integrating Slither but is higher-risk than a pure JS-only tool and should be run in a control…
证书
The skill declares no required environment variables, credentials, or config paths and the code does not reference secrets or unexpected environment variables. The behavior is proportional to its purpose (analyzing local source).
持久
The skill does not request always:true and does not modify other skills or global agent configuration. The only notable side-effect is the optional installation of Slither (system-level pip installs) and writing a temporary file under /tmp, both of which are expected for the described functionality.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Solidity Guardian」。简介:Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/aviclaw/solidity-guardian/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: solidity-guardian
version: 1.0.0
description: Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
author: aviclaw
tags:
- solidity
- security
- audit
- smart-contracts
- ethereum
- vulnerability
- scanner
---
# Solidity Guardian 🛡️
Security analysis for Solidity smart contracts. Find vulnerabilities, get fix suggestions, follow best practices.
## Quick Start
```bash
# Analyze a single contract
node skills/solidity-guardian/analyze.js contracts/MyContract.sol
# Analyze entire project
node skills/solidity-guardian/analyze.js ./contracts/
# Generate markdown report
node skills/solidity-guardian/analyze.js ./contracts/ --format markdown > AUDIT.md
```
## What It Detects (40+ Patterns)
### Critical (Must Fix)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-001 | Reentrancy | External calls before state updates |
| SG-002 | Unprotected selfdestruct | Missing access control on selfdestruct |
| SG-003 | Delegatecall to untrusted | Delegatecall with user-controlled address |
| SG-004 | Uninitialized storage pointer | Storage pointer overwrites slots |
| SG-005 | Signature replay | ecrecover without nonce/chainId |
| SG-006 | Arbitrary jump | Function type from user input |
### High (Should Fix)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-010 | Missing access control | Public functions that should be restricted |
| SG-011 | Unchecked transfer | ERC20 transfer without return check |
| SG-012 | Integer overflow | Arithmetic without SafeMath (pre-0.8) |
| SG-013 | tx.origin auth | Using tx.origin for authentication |
| SG-014 | Weak randomness | block.timestamp/blockhash for randomness |
| SG-015 | Unprotected withdrawal | Withdrawal without ownership check |
| SG-016 | Unchecked low-level call | .call() without success check |
| SG-017 | Dangerous equality | Strict balance check (manipulable) |
| SG-018 | Deprecated functions | suicide, sha3, throw, callcode |
| SG-019 | Wrong constructor | Function name matches contract |
### Medium (Consider Fixing)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-020 | Floating pragma | Non-pinned Solidity version |
| SG-021 | Missing zero check | No validation for zero address |
| SG-022 | Timestamp dependence | Logic depends on block.timestamp |
| SG-023 | DoS with revert | Loop with external call can revert |
| SG-024 | Front-running risk | Predictable state changes |
### Low (Best Practice)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-030 | Missing events | State changes without events |
| SG-031 | Magic numbers | Hardcoded values without constants |
| SG-032 | Implicit visibility | Functions without explicit visibility |
| SG-033 | Large contract | Contract exceeds size recommendations |
| SG-034 | Missing NatSpec | Public functions without documentation |
## Usage Examples
### Basic Analysis
```javascript
const { analyzeContract } = require('./analyzer');
const results = await analyzeContract('contracts/Token.sol');
console.log(results.findings);
```
### With Fix Suggestions
```javascript
const results = await analyzeContract('contracts/Vault.sol', {
includeFixes: true,
severity: ['critical', 'high']
});
for (const finding of results.findings) {
console.log(`[${finding.severity}] ${finding.title}`);
console.log(` Line ${finding.line}: ${finding.description}`);
console.log(` Fix: ${finding.suggestion}`);
}
```
### Generate Report
```javascript
const { generateReport } = require('./reporter');
const report = await generateReport('./contracts/', {
format: 'markdown',
includeGas: true,
includeBestPractices: true
});
fs.writeFileSync('SECURITY_AUDIT.md', report);
```
## Best Practices Checklist
When writing secure contracts, follow these guidelines:
### Access Control
- [ ] Use OpenZeppelin's `Ownable` or `AccessControl`
- [ ] Apply `onlyOwner` or role checks to sensitive functions
- [ ] Implement two-step ownership transfer
- [ ] Consider timelocks for critical operations
### Reentrancy Prevention
- [ ] Use `ReentrancyGuard` on all external-facing functions
- [ ] Follow checks-effects-interactions pattern
- [ ] Update state BEFORE external calls
- [ ] Use pull over push for payments
### Input Validation
- [ ] Validate all external inputs
- [ ] Check for zero addresses
- [ ] Validate array lengths match
- [ ] Use SafeERC20 for token transfers
### Arithmetic Safety
- [ ] Use Solidity 0.8+ or SafeMath
- [ ] Check for division by zero
- [ ] Validate percentage calculations (≤100)
- [ ] Be careful with token decimals
### Upgradeability (if applicable)
- [ ] Use initializer instead of constructor
- [ ] Protect initialize from re-initialization
- [ ] Follow storage layout rules
- [ ] Test upgrade paths
## Slither Integration
Guardian can run alongside Slither for comprehensive analysis:
```bash
# Combined analysis (auto-installs Slither if missing)
node skills/solidity-guardian/slither-integration.js ./contracts/ --install-slither
# Generate combined report
node skills/solidity-guardian/slither-integration.js . --format markdown --output AUDIT.md
# Guardian only (faster, no Slither dependency)
node skills/solidity-guardian/slither-integration.js ./contracts/ --guardian-only
# Slither only
node skills/solidity-guardian/slither-integration.js ./contracts/ --slither-only
```
**Why both?**
- Guardian: Fast pattern matching, custom rules, no compilation needed
- Slither: Deep dataflow analysis, CFG-based detection, more comprehensive
## Integration with Other Tools
### Hardhat
```javascript
// hardhat.config.js
require('./skills/solidity-guardian/hardhat-plugin');
// Run: npx hardhat guardian
```
### Foundry
```bash
# Add to CI
forge build
node skills/solidity-guardian/analyze.js ./src/
```
## References
- [Trail of Bits - Building Secure Contracts](https://github.com/crytic/building-secure-contracts)
- [OpenZeppelin - Security Best Practices](https://docs.openzeppelin.com/learn/preparing-for-mainnet)
- [Consensys - Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/)
- [SWC Registry](https://swcregistry.io/)
---
Built by Avi 🔐 | Security-first, ship always.