solidity-guardianSmart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matchi...
Install via ClawdBot CLI:
clawdbot install aviclaw/solidity-guardianSecurity analysis for Solidity smart contracts. Find vulnerabilities, get fix suggestions, follow best practices.
# Analyze a single contract
node skills/solidity-guardian/analyze.js contracts/MyContract.sol
# Analyze entire project
node skills/solidity-guardian/analyze.js ./contracts/
# Generate markdown report
node skills/solidity-guardian/analyze.js ./contracts/ --format markdown > AUDIT.md| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-001 | Reentrancy | External calls before state updates |
| SG-002 | Unprotected selfdestruct | Missing access control on selfdestruct |
| SG-003 | Delegatecall to untrusted | Delegatecall with user-controlled address |
| SG-004 | Uninitialized storage pointer | Storage pointer overwrites slots |
| SG-005 | Signature replay | ecrecover without nonce/chainId |
| SG-006 | Arbitrary jump | Function type from user input |
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-010 | Missing access control | Public functions that should be restricted |
| SG-011 | Unchecked transfer | ERC20 transfer without return check |
| SG-012 | Integer overflow | Arithmetic without SafeMath (pre-0.8) |
| SG-013 | tx.origin auth | Using tx.origin for authentication |
| SG-014 | Weak randomness | block.timestamp/blockhash for randomness |
| SG-015 | Unprotected withdrawal | Withdrawal without ownership check |
| SG-016 | Unchecked low-level call | .call() without success check |
| SG-017 | Dangerous equality | Strict balance check (manipulable) |
| SG-018 | Deprecated functions | suicide, sha3, throw, callcode |
| SG-019 | Wrong constructor | Function name matches contract |
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-020 | Floating pragma | Non-pinned Solidity version |
| SG-021 | Missing zero check | No validation for zero address |
| SG-022 | Timestamp dependence | Logic depends on block.timestamp |
| SG-023 | DoS with revert | Loop with external call can revert |
| SG-024 | Front-running risk | Predictable state changes |
| ID | Vulnerability | Description |
|----|--------------|-------------|
| SG-030 | Missing events | State changes without events |
| SG-031 | Magic numbers | Hardcoded values without constants |
| SG-032 | Implicit visibility | Functions without explicit visibility |
| SG-033 | Large contract | Contract exceeds size recommendations |
| SG-034 | Missing NatSpec | Public functions without documentation |
const { analyzeContract } = require('./analyzer');
const results = await analyzeContract('contracts/Token.sol');
console.log(results.findings);const results = await analyzeContract('contracts/Vault.sol', {
includeFixes: true,
severity: ['critical', 'high']
});
for (const finding of results.findings) {
console.log(`[${finding.severity}] ${finding.title}`);
console.log(` Line ${finding.line}: ${finding.description}`);
console.log(` Fix: ${finding.suggestion}`);
}const { generateReport } = require('./reporter');
const report = await generateReport('./contracts/', {
format: 'markdown',
includeGas: true,
includeBestPractices: true
});
fs.writeFileSync('SECURITY_AUDIT.md', report);When writing secure contracts, follow these guidelines:
Ownable or AccessControlonlyOwner or role checks to sensitive functionsReentrancyGuard on all external-facing functionsGuardian can run alongside Slither for comprehensive analysis:
# Combined analysis (auto-installs Slither if missing)
node skills/solidity-guardian/slither-integration.js ./contracts/ --install-slither
# Generate combined report
node skills/solidity-guardian/slither-integration.js . --format markdown --output AUDIT.md
# Guardian only (faster, no Slither dependency)
node skills/solidity-guardian/slither-integration.js ./contracts/ --guardian-only
# Slither only
node skills/solidity-guardian/slither-integration.js ./contracts/ --slither-onlyWhy both?
// hardhat.config.js
require('./skills/solidity-guardian/hardhat-plugin');
// Run: npx hardhat guardian# Add to CI
forge build
node skills/solidity-guardian/analyze.js ./src/Built by Avi š | Security-first, ship always.
Generated Mar 1, 2026
Development teams building DeFi protocols, NFTs, or DAOs use Solidity Guardian during development to catch vulnerabilities early. It integrates into CI/CD pipelines to automate security checks before deployment, ensuring contracts adhere to best practices from Trail of Bits and OpenZeppelin.
Auditing firms employ Solidity Guardian as a preliminary scanning tool to identify common vulnerabilities like reentrancy or unprotected selfdestruct. It helps auditors generate initial reports quickly, allowing them to focus manual review on complex issues flagged by the tool.
Universities and coding bootcamps teaching Solidity use Solidity Guardian to help students learn secure coding practices. It provides instant feedback on assignments, highlighting vulnerabilities such as integer overflow or missing access control, reinforcing industry standards.
Large enterprises implementing private or consortium blockchains for supply chain or finance use Solidity Guardian to ensure contract security. It detects vulnerabilities in custom business logic, supports Hardhat/Foundry projects, and generates audit reports for compliance and risk management.
Startups launching DApps use Solidity Guardian to scan their smart contracts for critical vulnerabilities before mainnet deployment. The tool's pattern matching and fix suggestions help reduce security risks, build user trust, and avoid costly exploits in production environments.
Offer a free basic version for individual developers with limited scans, and a paid tier for teams with advanced features like custom rules, priority support, and integration with CI/CD tools. Revenue comes from monthly subscriptions based on usage volume or number of contracts analyzed.
Sell annual licenses to large organizations, such as auditing firms or enterprises, providing full access to the tool, dedicated support, and customization options. This model includes training, maintenance, and updates, ensuring long-term partnerships and steady revenue streams.
Partner with blockchain development platforms like Hardhat or Foundry to bundle Solidity Guardian as a premium security add-on. Revenue is generated through revenue-sharing agreements or referral fees, leveraging existing user bases to drive adoption and scale the tool's reach.
š¬ Integration Tip
Integrate Solidity Guardian into your CI/CD pipeline using the provided Hardhat plugin or Foundry scripts to automate security checks on every code commit, ensuring vulnerabilities are caught early in the development cycle.
Connect Claude to Clawdbot instantly and keep it connected 24/7. Run after setup to link your subscription, then auto-refreshes tokens forever.
ERC-8004 Trustless Agents - Register, discover, and build reputation for AI agents on Ethereum. Use when registering agents on-chain, querying agent registries, giving/receiving reputation feedback, or interacting with the AI agent trust layer.
Autonomous crypto trading on Base via Bankr. Use for trading tokens, monitoring launches, executing strategies, or managing a trading portfolio. Triggers on "trade", "buy", "sell", "launch", "snipe", "profit", "PnL", "portfolio balance", or any crypto trading task on Base.
Deploy ERC20 tokens on Base using Clanker SDK. Create tokens with built-in Uniswap V4 liquidity pools. Supports Base mainnet and Sepolia testnet. Requires PRIVATE_KEY in config.
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY.
Interact with Solana blockchain via Helius APIs. Create/manage wallets, check balances (SOL + tokens), send transactions, swap tokens via Jupiter, and monitor addresses. Use for any Solana blockchain operation, crypto wallet management, token transfers, DeFi swaps, or portfolio tracking.