solidity-guardian
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
Best use case
solidity-guardian is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
Teams using solidity-guardian should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/solidity-guardian/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How solidity-guardian Compares
| Feature / Agent | solidity-guardian | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
AI Agent for SaaS Idea Validation
Use AI agent skills for SaaS idea validation, market research, customer discovery, competitor analysis, and documenting startup hypotheses.
SKILL.md Source
# Solidity Guardian 🛡️
Security analysis for Solidity smart contracts. Find vulnerabilities, get fix suggestions, follow best practices.
## Quick Start
```bash
# Analyze a single contract
node skills/solidity-guardian/analyze.js contracts/MyContract.sol
# Analyze entire project
node skills/solidity-guardian/analyze.js ./contracts/
# Generate markdown report
node skills/solidity-guardian/analyze.js ./contracts/ --format markdown > AUDIT.md
```
## What It Detects (40+ Patterns)
### Critical (Must Fix)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-001 | Reentrancy | External calls before state updates |
| SG-002 | Unprotected selfdestruct | Missing access control on selfdestruct |
| SG-003 | Delegatecall to untrusted | Delegatecall with user-controlled address |
| SG-004 | Uninitialized storage pointer | Storage pointer overwrites slots |
| SG-005 | Signature replay | ecrecover without nonce/chainId |
| SG-006 | Arbitrary jump | Function type from user input |
### High (Should Fix)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-010 | Missing access control | Public functions that should be restricted |
| SG-011 | Unchecked transfer | ERC20 transfer without return check |
| SG-012 | Integer overflow | Arithmetic without SafeMath (pre-0.8) |
| SG-013 | tx.origin auth | Using tx.origin for authentication |
| SG-014 | Weak randomness | block.timestamp/blockhash for randomness |
| SG-015 | Unprotected withdrawal | Withdrawal without ownership check |
| SG-016 | Unchecked low-level call | .call() without success check |
| SG-017 | Dangerous equality | Strict balance check (manipulable) |
| SG-018 | Deprecated functions | suicide, sha3, throw, callcode |
| SG-019 | Wrong constructor | Function name matches contract |
### Medium (Consider Fixing)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-020 | Floating pragma | Non-pinned Solidity version |
| SG-021 | Missing zero check | No validation for zero address |
| SG-022 | Timestamp dependence | Logic depends on block.timestamp |
| SG-023 | DoS with revert | Loop with external call can revert |
| SG-024 | Front-running risk | Predictable state changes |
### Low (Best Practice)
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-030 | Missing events | State changes without events |
| SG-031 | Magic numbers | Hardcoded values without constants |
| SG-032 | Implicit visibility | Functions without explicit visibility |
| SG-033 | Large contract | Contract exceeds size recommendations |
| SG-034 | Missing NatSpec | Public functions without documentation |
## Usage Examples
### Basic Analysis
```javascript
const { analyzeContract } = require('./analyzer');
const results = await analyzeContract('contracts/Token.sol');
console.log(results.findings);
```
### With Fix Suggestions
```javascript
const results = await analyzeContract('contracts/Vault.sol', {
includeFixes: true,
severity: ['critical', 'high']
});
for (const finding of results.findings) {
console.log(`[${finding.severity}] ${finding.title}`);
console.log(` Line ${finding.line}: ${finding.description}`);
console.log(` Fix: ${finding.suggestion}`);
}
```
### Generate Report
```javascript
const { generateReport } = require('./reporter');
const report = await generateReport('./contracts/', {
format: 'markdown',
includeGas: true,
includeBestPractices: true
});
fs.writeFileSync('SECURITY_AUDIT.md', report);
```
## Best Practices Checklist
When writing secure contracts, follow these guidelines:
### Access Control
- [ ] Use OpenZeppelin's `Ownable` or `AccessControl`
- [ ] Apply `onlyOwner` or role checks to sensitive functions
- [ ] Implement two-step ownership transfer
- [ ] Consider timelocks for critical operations
### Reentrancy Prevention
- [ ] Use `ReentrancyGuard` on all external-facing functions
- [ ] Follow checks-effects-interactions pattern
- [ ] Update state BEFORE external calls
- [ ] Use pull over push for payments
### Input Validation
- [ ] Validate all external inputs
- [ ] Check for zero addresses
- [ ] Validate array lengths match
- [ ] Use SafeERC20 for token transfers
### Arithmetic Safety
- [ ] Use Solidity 0.8+ or SafeMath
- [ ] Check for division by zero
- [ ] Validate percentage calculations (≤100)
- [ ] Be careful with token decimals
### Upgradeability (if applicable)
- [ ] Use initializer instead of constructor
- [ ] Protect initialize from re-initialization
- [ ] Follow storage layout rules
- [ ] Test upgrade paths
## Slither Integration
Guardian can run alongside Slither for comprehensive analysis:
```bash
# Combined analysis (auto-installs Slither if missing)
node skills/solidity-guardian/slither-integration.js ./contracts/ --install-slither
# Generate combined report
node skills/solidity-guardian/slither-integration.js . --format markdown --output AUDIT.md
# Guardian only (faster, no Slither dependency)
node skills/solidity-guardian/slither-integration.js ./contracts/ --guardian-only
# Slither only
node skills/solidity-guardian/slither-integration.js ./contracts/ --slither-only
```
**Why both?**
- Guardian: Fast pattern matching, custom rules, no compilation needed
- Slither: Deep dataflow analysis, CFG-based detection, more comprehensive
## Integration with Other Tools
### Hardhat
```javascript
// hardhat.config.js
require('./skills/solidity-guardian/hardhat-plugin');
// Run: npx hardhat guardian
```
### Foundry
```bash
# Add to CI
forge build
node skills/solidity-guardian/analyze.js ./src/
```
## References
- [Trail of Bits - Building Secure Contracts](https://github.com/crytic/building-secure-contracts)
- [OpenZeppelin - Security Best Practices](https://docs.openzeppelin.com/learn/preparing-for-mainnet)
- [Consensys - Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/)
- [SWC Registry](https://swcregistry.io/)
---
Built by Avi 🔐 | Security-first, ship always.Related Skills
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
guardian-wall
Mitigate prompt injection attacks, especially indirect ones from external web content or files. Use this skill when processing untrusted text from the internet, user-uploaded files, or any external source to sanitize content and detect malicious instructions (e.g., "ignore previous instructions", "system override").
session-guardian
Never lose a conversation again. Auto-backup, smart recovery, and health monitoring for OpenClaw sessions. Protects against gateway crashes, model disconnections, and token overflow. Use this skill when: - User worries about losing conversations after gateway restart or model crash - User mentions session backup, conversation recovery, session protection, or data loss - User's agent is slow or timing out (likely token overflow from large sessions) - User runs multiple agents and needs to track collaboration across sessions - User asks about session health, backup strategy, or disaster recovery - User mentions "对话丢失", "会话备份", "上下文溢出", "token超限", "Gateway重启后记忆丢失" - Even if user just says "my agent lost everything after a restart" — this is the skill
agency-guardian
Gentle reminders to stay human while using AI. Reflection, not restriction.
config-guardian
Safe OpenClaw config updates with automatic backup, validation, and rollback. For agent use - prevents invalid config updates.
personal-guardian
个体终端应急守护智能体(PTERA)。当用户激活"安全时刻"或设备自动检测到危险信号时,Agent 获得完全自主决策权,默认用户处于无法应答状态,以人身安全为最高优先级执行饱和式救援——录音、定位、联系人链式通知、120/110 自主呼叫、无人机急救网络联动。
low-altitude-guardian
低空无人设备应急裁决引擎。零依赖可用:基于损失优先级金字塔(P0-P4)和加权决策公式,对无人机/eVTOL突发危机进行分级分析、方案推导、输出可执行决策建议。分析辅助工具,不连接飞控系统,不执行实际飞行控制。
reminder-guardian
Helps you remember things by keeping a list of reminders, creating the scheduled jobs to alert you, and tracking which ones are done.
cron-job-guardian
检查 cron 或 timer 配置中的频率、幂等、重试、日志与并发风险。;use for cron, timer, ops workflows;do not use for 直接启停生产任务, 替代真正监控.
---
name: article-factory-wechat
humanizer
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.
find-skills
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.