← Back to Skills Marketplace
jengajojo

Auto Bug Finder

by jengajojo · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
262
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install auto-bug-finder
Description
Iteratively scans, analyzes, fixes, and verifies Solidity contracts using Hardhat and Slither until no critical, high, or medium security bugs remain or max...
README (SKILL.md)

Auto Bug Finder — Code Security Scanner

Iterative, LLM-inspired bug detection and fixing system for production code. Currently supports Solidity (Hardhat + Slither). Extensible to Node.js, Python, and other stacks. Inspired by Andrej Karpathy's methodology: analyze → find → fix → test → repeat until clean.

What It Does

Runs multi-tool security scans in iterative sprints:

  1. Scan — Compiles, runs tests, runs static analysis (Slither for Solidity), checks coverage
  2. Analyze — Parses all tool outputs into structured findings (Critical/High/Medium/Low/Info)
  3. Fix — Generates patches for each finding with documentation
  4. Verify — Recompiles, retests, rescans to confirm fixes
  5. Loop — Repeats until 0 Critical/High/Medium findings OR 10 sprints max

When To Use

  • Before marking any Solidity contract as complete (mandatory per Netrix policy)
  • Before mainnet deployment — catch issues cheaply on testnet
  • After major refactors — verify no regressions
  • As part of CI/CD — automated security gate

How To Use

Quick Start

# Copy the skill into your contract project
cp skills/auto-bug-finder/auto-bug-finder.js projects/my-contract/auto-bug-finder.js

# Run from the project root (where hardhat.config.js lives)
cd projects/my-contract
node auto-bug-finder.js

Requirements

  • Node.js 18+
  • Hardhat project with existing tests
  • Slither (pip install slither-analyzer)
  • Solidity 0.8.x contracts

Output

The script creates in auto-bug-finder/:

  • FINAL-REPORT.md — Executive summary with all findings
  • sprint-results.json — Detailed per-sprint data
  • patches/patch-N.md — Per-finding documentation with fix rationale

Customization

Edit the config at the top of auto-bug-finder.js:

const CONFIG = {
  contractDir: 'contracts',      // Solidity source directory
  testFile: 'test/AgentEscrow.test.js',  // Test file to run
  maxSprints: 10,                // Safety limit
  severityGate: ['Critical', 'High', 'Medium'],  // Stop when these are 0
  heuristics: true,              // Enable custom heuristic checks
};

Heuristic Checks (Beyond Slither)

  • Missing zero-address validation on sensitive parameters
  • Missing event emissions on state changes
  • Self-escrow / self-interaction risks
  • Unreachable enum states
  • State transition completeness
  • Access control gaps

Auto-Audit Policy (MANDATORY — All Code)

  • All final code (smart contracts, APIs, services, frontends) must pass Auto Bug Finder before marking complete
  • Gate: 0 Critical, 0 High, 0 Medium findings required
  • Max Sprints: 10 (safety limit)
  • Output: FINAL-REPORT.md in project auto-bug-finder/ directory
  • PM cron checks for FINAL-REPORT.md before allowing completion mark

First Run: Agent Escrow (2026-03-16)

Sprint Findings Critical High Medium Low Info
1 7 0 0 0 2 5
2 7 (same) 0 0 0 2 5

Result: ✅ LOW RISK — 2 improvements applied (removed unused Status.Created, added SelfEscrow check)

Usage Guidance
Do not run this script on sensitive repositories or on your primary workstation without review. Specific recommendations: 1) Inspect the full auto-bug-finder.js file (it was truncated in the package) to ensure there are no network exfiltration calls or hidden commands. 2) Fix/verify the PROJECT_DIR logic (script uses path.resolve(__dirname, '..')) — either place the file where the script expects, or change it to use process.cwd() so it runs in your current project root. 3) Run the tool in an isolated environment (throwaway VM or container) with only the needed tooling installed (Node 18+, Hardhat via npx, Slither via pip), and with sensitive env vars removed. 4) Update metadata/README to declare required binaries (npx/hardhat, slither) so you can provision them explicitly. 5) Backup the repo or use a git branch before letting the script apply patches. 6) If you want higher assurance, run the script with verbose logging redirected to a file you control, and search the code for any outbound network calls or invocation of curl/wget/http(s) before trusting it on production code. If you want, I can scan the remaining truncated portion of the script for suspicious patterns if you paste it.
Capability Analysis
Type: OpenClaw Skill Name: auto-bug-finder Version: 1.0.0 The skill bundle is a legitimate security automation tool designed to perform iterative static analysis and automated patching for Solidity smart contracts. The Node.js script (auto-bug-finder.js) uses standard development tools like Hardhat and Slither to identify vulnerabilities and applies fixes via string manipulation of the source code. While the SKILL.md contains 'mandatory' policy instructions aimed at influencing the AI agent's workflow, these instructions are aligned with the stated goal of ensuring code security and do not exhibit malicious intent, data exfiltration, or unauthorized access.
Capability Assessment
Purpose & Capability
The SKILL.md and code both describe running Hardhat, Slither, coverage and heuristics to audit Solidity contracts, which is coherent with the skill's name. However the registry metadata claims no required binaries or env vars while the instructions explicitly require Node.js, npx/hardhat, and Slither; that mismatch is unexpected and should have been declared in metadata.
Instruction Scope
The runtime instructions tell the user to copy the script into their contract project and run it, and the script runs shell commands (npx hardhat, slither, coverage) and reads/writes project files. The code sets PROJECT_DIR = path.resolve(__dirname, '..'), which likely makes the script operate in the parent directory of where the file is placed — this contradicts the Quick Start and can cause scanning/changes outside the intended project. The script executes arbitrary shell commands via exec, reads contract/test files, and writes patch and report files; these are expected for an auditor but the directory-behavior bug increases risk of unintended scope.
Install Mechanism
No installer is provided (instruction-only plus included script), so nothing is automatically downloaded or installed by the skill itself. The script does call external tools (npx, slither) at runtime, which are external dependencies the user must provide; no remote install URLs or archives were observed in the manifest.
Credentials
The skill declares no required environment variables which aligns with metadata, but the script launches child processes with env: { ...process.env, ...options.env } (inheriting the whole environment). That is typical for running tooling, but because the script executes shell commands and may surface outputs, be aware that sensitive environment variables from the runner will be present in subshells and could appear in logs or be incidentally used by tools. Also metadata omission of required tooling (Hardhat/Slither) is a proportionality/documentation issue.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system privileges, and writes outputs only into its own patches/ and FINAL-REPORT.md files. No evidence of modifying other skills or global agent settings was found. However, because the script may operate in the wrong directory (see instruction scope), those writes could land in an unexpected location.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install auto-bug-finder
  3. After installation, invoke the skill by name or use /auto-bug-finder
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish
Metadata
Slug auto-bug-finder
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Auto Bug Finder?

Iteratively scans, analyzes, fixes, and verifies Solidity contracts using Hardhat and Slither until no critical, high, or medium security bugs remain or max... It is an AI Agent Skill for Claude Code / OpenClaw, with 262 downloads so far.

How do I install Auto Bug Finder?

Run "/install auto-bug-finder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Auto Bug Finder free?

Yes, Auto Bug Finder is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Auto Bug Finder support?

Auto Bug Finder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Auto Bug Finder?

It is built and maintained by jengajojo (@jengajojo); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments