← 返回 Skills 市场
262
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install auto-bug-finder
功能描述
Iteratively scans, analyzes, fixes, and verifies Solidity contracts using Hardhat and Slither until no critical, high, or medium security bugs remain or max...
使用说明 (SKILL.md)
Auto Bug Finder — Code Security Scanner
Iterative, LLM-inspired bug detection and fixing system for production code. Currently supports Solidity (Hardhat + Slither). Extensible to Node.js, Python, and other stacks. Inspired by Andrej Karpathy's methodology: analyze → find → fix → test → repeat until clean.
What It Does
Runs multi-tool security scans in iterative sprints:
- Scan — Compiles, runs tests, runs static analysis (Slither for Solidity), checks coverage
- Analyze — Parses all tool outputs into structured findings (Critical/High/Medium/Low/Info)
- Fix — Generates patches for each finding with documentation
- Verify — Recompiles, retests, rescans to confirm fixes
- Loop — Repeats until 0 Critical/High/Medium findings OR 10 sprints max
When To Use
- Before marking any Solidity contract as complete (mandatory per Netrix policy)
- Before mainnet deployment — catch issues cheaply on testnet
- After major refactors — verify no regressions
- As part of CI/CD — automated security gate
How To Use
Quick Start
# Copy the skill into your contract project
cp skills/auto-bug-finder/auto-bug-finder.js projects/my-contract/auto-bug-finder.js
# Run from the project root (where hardhat.config.js lives)
cd projects/my-contract
node auto-bug-finder.js
Requirements
- Node.js 18+
- Hardhat project with existing tests
- Slither (
pip install slither-analyzer) - Solidity 0.8.x contracts
Output
The script creates in auto-bug-finder/:
FINAL-REPORT.md— Executive summary with all findingssprint-results.json— Detailed per-sprint datapatches/patch-N.md— Per-finding documentation with fix rationale
Customization
Edit the config at the top of auto-bug-finder.js:
const CONFIG = {
contractDir: 'contracts', // Solidity source directory
testFile: 'test/AgentEscrow.test.js', // Test file to run
maxSprints: 10, // Safety limit
severityGate: ['Critical', 'High', 'Medium'], // Stop when these are 0
heuristics: true, // Enable custom heuristic checks
};
Heuristic Checks (Beyond Slither)
- Missing zero-address validation on sensitive parameters
- Missing event emissions on state changes
- Self-escrow / self-interaction risks
- Unreachable enum states
- State transition completeness
- Access control gaps
Auto-Audit Policy (MANDATORY — All Code)
- All final code (smart contracts, APIs, services, frontends) must pass Auto Bug Finder before marking complete
- Gate: 0 Critical, 0 High, 0 Medium findings required
- Max Sprints: 10 (safety limit)
- Output:
FINAL-REPORT.mdin projectauto-bug-finder/directory - PM cron checks for
FINAL-REPORT.mdbefore allowing completion mark
First Run: Agent Escrow (2026-03-16)
| Sprint | Findings | Critical | High | Medium | Low | Info |
|---|---|---|---|---|---|---|
| 1 | 7 | 0 | 0 | 0 | 2 | 5 |
| 2 | 7 (same) | 0 | 0 | 0 | 2 | 5 |
Result: ✅ LOW RISK — 2 improvements applied (removed unused Status.Created, added SelfEscrow check)
安全使用建议
Do not run this script on sensitive repositories or on your primary workstation without review. Specific recommendations: 1) Inspect the full auto-bug-finder.js file (it was truncated in the package) to ensure there are no network exfiltration calls or hidden commands. 2) Fix/verify the PROJECT_DIR logic (script uses path.resolve(__dirname, '..')) — either place the file where the script expects, or change it to use process.cwd() so it runs in your current project root. 3) Run the tool in an isolated environment (throwaway VM or container) with only the needed tooling installed (Node 18+, Hardhat via npx, Slither via pip), and with sensitive env vars removed. 4) Update metadata/README to declare required binaries (npx/hardhat, slither) so you can provision them explicitly. 5) Backup the repo or use a git branch before letting the script apply patches. 6) If you want higher assurance, run the script with verbose logging redirected to a file you control, and search the code for any outbound network calls or invocation of curl/wget/http(s) before trusting it on production code. If you want, I can scan the remaining truncated portion of the script for suspicious patterns if you paste it.
功能分析
Type: OpenClaw Skill
Name: auto-bug-finder
Version: 1.0.0
The skill bundle is a legitimate security automation tool designed to perform iterative static analysis and automated patching for Solidity smart contracts. The Node.js script (auto-bug-finder.js) uses standard development tools like Hardhat and Slither to identify vulnerabilities and applies fixes via string manipulation of the source code. While the SKILL.md contains 'mandatory' policy instructions aimed at influencing the AI agent's workflow, these instructions are aligned with the stated goal of ensuring code security and do not exhibit malicious intent, data exfiltration, or unauthorized access.
能力评估
Purpose & Capability
The SKILL.md and code both describe running Hardhat, Slither, coverage and heuristics to audit Solidity contracts, which is coherent with the skill's name. However the registry metadata claims no required binaries or env vars while the instructions explicitly require Node.js, npx/hardhat, and Slither; that mismatch is unexpected and should have been declared in metadata.
Instruction Scope
The runtime instructions tell the user to copy the script into their contract project and run it, and the script runs shell commands (npx hardhat, slither, coverage) and reads/writes project files. The code sets PROJECT_DIR = path.resolve(__dirname, '..'), which likely makes the script operate in the parent directory of where the file is placed — this contradicts the Quick Start and can cause scanning/changes outside the intended project. The script executes arbitrary shell commands via exec, reads contract/test files, and writes patch and report files; these are expected for an auditor but the directory-behavior bug increases risk of unintended scope.
Install Mechanism
No installer is provided (instruction-only plus included script), so nothing is automatically downloaded or installed by the skill itself. The script does call external tools (npx, slither) at runtime, which are external dependencies the user must provide; no remote install URLs or archives were observed in the manifest.
Credentials
The skill declares no required environment variables which aligns with metadata, but the script launches child processes with env: { ...process.env, ...options.env } (inheriting the whole environment). That is typical for running tooling, but because the script executes shell commands and may surface outputs, be aware that sensitive environment variables from the runner will be present in subshells and could appear in logs or be incidentally used by tools. Also metadata omission of required tooling (Hardhat/Slither) is a proportionality/documentation issue.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system privileges, and writes outputs only into its own patches/ and FINAL-REPORT.md files. No evidence of modifying other skills or global agent settings was found. However, because the script may operate in the wrong directory (see instruction scope), those writes could land in an unexpected location.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install auto-bug-finder - 安装完成后,直接呼叫该 Skill 的名称或使用
/auto-bug-finder触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish
元数据
常见问题
Auto Bug Finder 是什么?
Iteratively scans, analyzes, fixes, and verifies Solidity contracts using Hardhat and Slither until no critical, high, or medium security bugs remain or max... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 262 次。
如何安装 Auto Bug Finder?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install auto-bug-finder」即可一键安装,无需额外配置。
Auto Bug Finder 是免费的吗?
是的,Auto Bug Finder 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Auto Bug Finder 支持哪些平台?
Auto Bug Finder 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Auto Bug Finder?
由 jengajojo(@jengajojo)开发并维护,当前版本 v1.0.0。
推荐 Skills