← Back to Skills Marketplace
811
Downloads
0
Stars
2
Active Installs
6
Versions
Install in OpenClaw
/install solidity-guardian
Description
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matchi...
Usage Guidance
This skill appears to implement a Solidity static scanner and optional Slither integration, but there are discrepancies you should resolve before running it:
- Documentation vs code mismatches: SKILL.md examples reference analyze.js, reporter.js, and a hardhat plugin that are not present in the package (the code contains analyzer.js and slither-integration.js). Confirm which entrypoints to run and whether analyzer exports the functions the integration expects (analyzeDirectory/analyzeFile/generateMarkdownReport). Running mismatched commands will fail or behave unexpectedly.
- Optional installer executes pip/pipx: slither-integration.js can auto-install Slither by running pipx/pip3/python3 -m pip via execSync. That will perform network installs and may change your system Python environment — run this only in an isolated or CI environment (container, VM) if you choose to auto-install.
- Review the code yourself (or have a developer do so) before running: analyzer.js parses local Solidity files and slither-integration.js executes shell commands. There are no obvious exfiltration endpoints, but you should still audit exported functions, ensure no unexpected network calls are added, and test in a sandbox.
- Practical steps before using:
1) Open analyzer.js and confirm it exports the functions the integrator and examples expect.
2) Run the tool on a small, non-sensitive sample project first. Do not use --install-slither on a host with sensitive packages; prefer pre-installing Slither in an isolated environment.
3) If you plan to integrate with CI, vendor or pin the Slither installation steps and review those commands.
Given the mismatches and the installer behavior, treat this skill with caution until these inconsistencies are resolved or you run it in a controlled environment.
Capability Analysis
Type: OpenClaw Skill
Name: solidity-guardian
Version: 1.0.3
The `slither-integration.js` script is vulnerable to shell injection. It constructs a shell command using `child_process.execSync` where the `projectPath` argument is directly interpolated without sanitization. If an attacker can control this argument (e.g., via prompt injection against the OpenClaw agent), they could execute arbitrary commands on the host system. Additionally, the script uses `execSync` to install `slither-analyzer` via `pipx` or `pip3`, demonstrating broad command execution capabilities, though this specific installation is for a legitimate tool.
Capability Assessment
Purpose & Capability
The name/description (Solidity security analysis) aligns with the provided analyzer.js and slither-integration.js which implement pattern-based checks and optional Slither integration. This is coherent for an on-repo static scanner + optional Slither. However, the SKILL.md references scripts/files that are not present (analyze.js, reporter.js, hardhat-plugin), indicating the documentation and exported API may not match the shipped code.
Instruction Scope
Instructions are about analyzing local smart-contract source and generating reports, which is appropriate. They do not request secrets. Concerns: SKILL.md examples call node skills/solidity-guardian/analyze.js and require('./reporter') / hardhat plugin paths that are not in the file manifest. The runtime code (slither-integration.js and analyzer.js) will read project files, create a temporary JSON in /tmp, and may invoke system commands (slither, pip). Reading project source is expected; invoking installers is more intrusive and should be run intentionally.
Install Mechanism
No formal install spec is declared (instruction-only), which is lowest-risk. The included slither-integration.js, however, can auto-install Slither by running pipx/pip3/python3 -m pip commands via execSync. That behavior is optional (triggered by --install-slither) but will execute network installs and may modify the environment. This is expected for integrating Slither but is higher-risk than a pure JS-only tool and should be run in a controlled environment.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not reference secrets or unexpected environment variables. The behavior is proportional to its purpose (analyzing local source).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. The only notable side-effect is the optional installation of Slither (system-level pip installs) and writing a temporary file under /tmp, both of which are expected for the described functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install solidity-guardian - After installation, invoke the skill by name or use
/solidity-guardian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Smart contract security auditor - v1.0.3
v2.1.0
Smart contract security auditor - 40+ vulnerability patterns, Slither integration, CI/CD ready
v2.0.0
Smart contract security auditor - 40+ vulnerability patterns, Slither integration
v1.0.2
Smart contract security auditor
v1.0.1
Smart contract security auditor - v1.0.1
v1.0.0
Initial release – smart contract security analysis for Solidity projects.
- Detects 40+ vulnerability patterns (Critical/High/Medium/Low) using pattern matching and industry best practices.
- Provides fix suggestions and generates detailed audit reports in markdown format.
- Supports both Hardhat and Foundry projects with easy integration.
- Offers Slither integration for combined static analysis and reporting.
- Includes best practices checklist and references for secure smart contract development.
Metadata
Frequently Asked Questions
What is Solidity Guardian?
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matchi... It is an AI Agent Skill for Claude Code / OpenClaw, with 811 downloads so far.
How do I install Solidity Guardian?
Run "/install solidity-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Solidity Guardian free?
Yes, Solidity Guardian is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Solidity Guardian support?
Solidity Guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Solidity Guardian?
It is built and maintained by aviclaw (@aviclaw); the current version is v1.0.3.
More Skills