← 返回 Skills 市场

Smart Contract Audit

Name: Smart Contract Audit
Author: mzfshark

作者 Mauricio Z. · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install axodus-smartcontracts-audits

功能描述

Audit Solidity contracts for common vulnerabilities and design risks.

使用说明 (SKILL.md)

SKILL: smart-contract-audit

Purpose

Perform a deterministic, evidence-based vulnerability review of Solidity contracts and produce a prioritized audit report with concrete fixes.

When to Use

Before any deployment (even testnet) of value-bearing contracts.
After changing access control, external calls, accounting, or token logic.
When integrating with external protocols.

Inputs

scope (required, string[]): contract files and dependencies.
threat_model (optional, string): assets at risk, attacker capabilities, trust assumptions.
deployment_assumptions (optional, string): upgradeability, admin keys, multisig/DAO governance.

Steps

Map the system:
- entrypoints (public/external)
- privileged roles
- external calls and token transfers
Run checklist-based review:
- access control (missing/overbroad roles)
- reentrancy surfaces (external calls, callbacks)
- accounting correctness (under/overflow, rounding, precision, fee logic)
- ERC standard compliance (events, return values)
- upgradeability hazards (storage layout, initializer patterns)
- DoS vectors (unbounded loops, griefing)
Identify invariants and where they can break.
Produce findings with reproduction notes and recommended fixes.

Validation

Every finding includes:
- impacted function(s)
- why itâ€™s exploitable or risky
- concrete remediation guidance
Non-issues are explicitly marked as â€œinformationalâ€ when needed.

Output

Audit report (example schema):

summary: "\x3Csystem overview + top risks>"
findings:
  - id: "SC-001"
    severity: "critical|high|medium|low|info"
    title: "\x3Cshort>"
    location: ["contracts/X.sol:123"]
    description: "\x3Cwhat is wrong>"
    impact: "\x3Cwhat can happen>"
    recommendation: "\x3Chow to fix>"
assumptions: ["..."]

Safety Rules

Do not provide exploit code for real targets.
Do not claim â€œsecureâ€ or â€œauditedâ€ as an absolute; report risk and evidence.
Escalate to stricter review if funds or governance are at stake.

Example

Scope: ["contracts/Vault.sol", "contracts/Token.sol"] Output: includes reentrancy review of withdraw() and role boundaries for setFee().

安全使用建议

This skill is instruction-only and appears coherent for auditing Solidity source files. However: (1) verify the skill author/owner provenance before trusting reports (metadata shows inconsistent author/owner labels); (2) do not feed any private keys, mnemonic phrases, or other secrets as part of the 'scope' input — audits should only include contract source and harmless test artifacts; (3) treat the generated audit as advisory: cross-check findings with standard static analyzers (Slither, Mythril, Echidna) and manual review before deploying; (4) although the SKILL.md asks not to provide exploit code, the model could still produce PoC snippets — review outputs for disallowed content and never run exploit code against real systems. If you need stronger assurance, prefer a skill with verifiable source (GitHub repo, maintainer identity) or run audits locally using known open-source tools.

功能分析

Type: OpenClaw Skill Name: axodus-smartcontracts-audits Version: 1.0.0 The skill bundle defines a structured process for auditing Solidity smart contracts, focusing on common vulnerabilities like reentrancy, access control, and accounting logic. The instructions in SKILL.md and smart-contract-audit.md are professional, include explicit safety rules against generating exploit code, and contain no evidence of malicious intent, data exfiltration, or prompt injection.

能力标签

crypto

能力评估

ℹ Purpose & Capability

The name, description, and runtime instructions all align: the skill describes checklist-based auditing of Solidity contracts and requires only contract sources as input. Minor metadata inconsistencies exist (author listed as "RedHat Dev" in SKILL.md/_meta.json while registry owner is a different ID), which is a provenance/labeling issue but not a technical mismatch with functionality.

✓ Instruction Scope

SKILL.md is explicit and scoped to analyzing the provided `scope` files, mapping entrypoints/roles, checklist review, and producing findings. It does not instruct the agent to read unrelated files, access external endpoints, or exfiltrate data. It also contains safety guidance not to provide exploit code for real targets.

✓ Install Mechanism

There is no install spec and no code files. This is instruction-only, so nothing will be downloaded or written to disk by the skill itself.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential request for the described audit functionality.

ℹ Persistence & Privilege

The skill does not request always:true and is user-invocable. The skill allows normal autonomous model invocation (platform default), which increases blast radius only in combination with other risks — no such risks are present here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install axodus-smartcontracts-audits
安装完成后，直接呼叫该 Skill 的名称或使用 /axodus-smartcontracts-audits 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

smart-contract-audit v1.0.0 - Initial release providing deterministic, evidence-based vulnerability reviews for Solidity contracts. - Audits identify risks including access control flaws, reentrancy, accounting errors, and ERC standard compliance. - Inputs support custom scope, threat models, and deployment assumptions. - Outputs a structured YAML audit report with prioritized findings and actionable recommendations. - Emphasizes responsible disclosure, reproduction guidance, and explicit risk explanations.

元数据

Slug axodus-smartcontracts-audits

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题