← 返回 Skills 市场
aviclaw

Solidity Guardian

作者 aviclaw · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
811
总下载
0
收藏
2
当前安装
6
版本数
在 OpenClaw 中安装
/install solidity-guardian
功能描述
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matchi...
安全使用建议
This skill appears to implement a Solidity static scanner and optional Slither integration, but there are discrepancies you should resolve before running it: - Documentation vs code mismatches: SKILL.md examples reference analyze.js, reporter.js, and a hardhat plugin that are not present in the package (the code contains analyzer.js and slither-integration.js). Confirm which entrypoints to run and whether analyzer exports the functions the integration expects (analyzeDirectory/analyzeFile/generateMarkdownReport). Running mismatched commands will fail or behave unexpectedly. - Optional installer executes pip/pipx: slither-integration.js can auto-install Slither by running pipx/pip3/python3 -m pip via execSync. That will perform network installs and may change your system Python environment — run this only in an isolated or CI environment (container, VM) if you choose to auto-install. - Review the code yourself (or have a developer do so) before running: analyzer.js parses local Solidity files and slither-integration.js executes shell commands. There are no obvious exfiltration endpoints, but you should still audit exported functions, ensure no unexpected network calls are added, and test in a sandbox. - Practical steps before using: 1) Open analyzer.js and confirm it exports the functions the integrator and examples expect. 2) Run the tool on a small, non-sensitive sample project first. Do not use --install-slither on a host with sensitive packages; prefer pre-installing Slither in an isolated environment. 3) If you plan to integrate with CI, vendor or pin the Slither installation steps and review those commands. Given the mismatches and the installer behavior, treat this skill with caution until these inconsistencies are resolved or you run it in a controlled environment.
功能分析
Type: OpenClaw Skill Name: solidity-guardian Version: 1.0.3 The `slither-integration.js` script is vulnerable to shell injection. It constructs a shell command using `child_process.execSync` where the `projectPath` argument is directly interpolated without sanitization. If an attacker can control this argument (e.g., via prompt injection against the OpenClaw agent), they could execute arbitrary commands on the host system. Additionally, the script uses `execSync` to install `slither-analyzer` via `pipx` or `pip3`, demonstrating broad command execution capabilities, though this specific installation is for a legitimate tool.
能力评估
Purpose & Capability
The name/description (Solidity security analysis) aligns with the provided analyzer.js and slither-integration.js which implement pattern-based checks and optional Slither integration. This is coherent for an on-repo static scanner + optional Slither. However, the SKILL.md references scripts/files that are not present (analyze.js, reporter.js, hardhat-plugin), indicating the documentation and exported API may not match the shipped code.
Instruction Scope
Instructions are about analyzing local smart-contract source and generating reports, which is appropriate. They do not request secrets. Concerns: SKILL.md examples call node skills/solidity-guardian/analyze.js and require('./reporter') / hardhat plugin paths that are not in the file manifest. The runtime code (slither-integration.js and analyzer.js) will read project files, create a temporary JSON in /tmp, and may invoke system commands (slither, pip). Reading project source is expected; invoking installers is more intrusive and should be run intentionally.
Install Mechanism
No formal install spec is declared (instruction-only), which is lowest-risk. The included slither-integration.js, however, can auto-install Slither by running pipx/pip3/python3 -m pip commands via execSync. That behavior is optional (triggered by --install-slither) but will execute network installs and may modify the environment. This is expected for integrating Slither but is higher-risk than a pure JS-only tool and should be run in a controlled environment.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not reference secrets or unexpected environment variables. The behavior is proportional to its purpose (analyzing local source).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. The only notable side-effect is the optional installation of Slither (system-level pip installs) and writing a temporary file under /tmp, both of which are expected for the described functionality.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install solidity-guardian
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /solidity-guardian 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Smart contract security auditor - v1.0.3
v2.1.0
Smart contract security auditor - 40+ vulnerability patterns, Slither integration, CI/CD ready
v2.0.0
Smart contract security auditor - 40+ vulnerability patterns, Slither integration
v1.0.2
Smart contract security auditor
v1.0.1
Smart contract security auditor - v1.0.1
v1.0.0
Initial release – smart contract security analysis for Solidity projects. - Detects 40+ vulnerability patterns (Critical/High/Medium/Low) using pattern matching and industry best practices. - Provides fix suggestions and generates detailed audit reports in markdown format. - Supports both Hardhat and Foundry projects with easy integration. - Offers Slither integration for combined static analysis and reporting. - Includes best practices checklist and references for secure smart contract development.
元数据
Slug solidity-guardian
版本 1.0.3
许可证
累计安装 2
当前安装数 2
历史版本数 6
常见问题

Solidity Guardian 是什么?

Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matchi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 811 次。

如何安装 Solidity Guardian?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install solidity-guardian」即可一键安装,无需额外配置。

Solidity Guardian 是免费的吗?

是的,Solidity Guardian 完全免费(开源免费),可自由下载、安装和使用。

Solidity Guardian 支持哪些平台?

Solidity Guardian 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Solidity Guardian?

由 aviclaw(@aviclaw)开发并维护,当前版本 v1.0.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论