{"id":"e49dce79-4c20-484a-aca9-73c9c420510d","shortId":"YPR44R","kind":"skill","title":"smart-contract-audit","tagline":"Use this skill to audit Solidity, Vyper, EVM, DeFi, oracle, accounting, reentrancy, and upgradeability risks. Do not use it for legal contract review.","description":"# smart-contract-audit\n\n## English\n\n### Purpose\n\nAudit smart contracts for high-confidence security issues.\n\n### Workflow\n\n1. Identify assets under management.\n2. Identify privileged roles.\n3. Identify accounting model.\n4. Identify oracle dependencies.\n5. Identify upgradeability pattern.\n6. Check reentrancy, access control, business logic, arithmetic, ERC20 edge cases, and invariants.\n7. Output findings and Foundry/Echidna test ideas.\n\n### Safety rules\n\nDo not auto-fix accounting, governance, upgradeability, or custody-of-funds findings without explicit human selection.\n\n\n### Canonical finding format\n\n```yaml\nid: F-001\nseverity: Critical | High | Medium | Low | Informational\nconfidence: High | Medium | Low\ncategory:\naffected_code:\nroot_cause:\nexploit_path:\npreconditions:\nimpact:\nevidence:\nminimal_fix:\nregression_test:\nauto_fix_suitability: Safe | Needs Human Review | Do Not Auto-Fix\nnotes:\n```\n\n### v0.6 operational guardrails\n\n- Keep the skill within its stated trigger conditions and the user's explicitly provided scope.\n- Preserve project safety boundaries: audit-only by default; Do not execute exploits, Do not auto-merge, Do not upload private source code or secrets, and do not scan unrelated repositories without explicit user request.\n- Ask for explicit human approval before patching high-risk auth, IAM, governance, funds, terminal, or agent-tooling behavior.\n- Report validation performed, files changed, residual risk, and any skipped future-phase work when finished.\n\n## 中文\n\n### 目的\n\n使用这个 skill 进行智能合约安全审计。它应该帮助审查者把输入边界、风险证据、影响、修复建议和回归测试组织成可复核的安全输出。\n\n### 触发条件\n\n适用于 Solidity、Vyper、EVM、DeFi、oracle、accounting、reentrancy、upgradeability 和治理/资金风险。如果请求超出这些边界，先说明范围差异，并选择更合适的 prompt、skill 或人工 review 路径。\n\n### 不适用场景\n\n不要用于法律合同 review、普通 backend authz 或不涉及合约的 CI/CD review。不要把这个 skill 当作自动扫描整个仓库、执行 exploit、上传私有源码或 secrets、自动提交、自动推送或 auto-merge 的许可。\n\n### 操作流程\n\n1. 明确用户给出的目标、允许查看的材料和不能触碰的范围。\n2. 收集必要上下文，但只读取完成任务所需的文件、diff、workflow、fixture 或文档。\n3. 识别 trust boundary、privileged operation、sensitive data、preconditions 和 security impact。\n4. 只报告有 evidence 的 finding；缺少上下文时写 question 或 assumption。\n5. 为 confirmed issue 提出 minimal fix，并规划Foundry/Echidna regression、invariant、fuzz、恶意 token/callback mock 和 storage layout check。\n6. 完成后报告验证输出、残余风险和需要人工确认的事项。\n\n### 安全规则\n\n默认 audit-only。未经明确授权，不 patch、不 commit、不 push、不创建 PR、不 merge。不要执行 exploit，不要访问生产系统，不要打印 secrets。涉及 IAM、authz 模型、资金、治理、terminal 执行或 agent-tooling 权限的修复必须进入人工 review。\n\n### 输出要求\n\n使用 canonical finding format。每个 finding 都要包含 severity、confidence、category、affected_code、root_cause、exploit_path、preconditions、impact、evidence、minimal_fix、regression_test、auto_fix_suitability 和 notes。","tags":["smart","contract","audit","security","playbook","edmund-xl","agent-skills","chatgpt","codex","devsecops","mcp","smart-contracts"],"capabilities":["skill","source-edmund-xl","skill-smart-contract-audit","topic-agent-skills","topic-audit","topic-chatgpt","topic-codex","topic-devsecops","topic-mcp","topic-security","topic-smart-contracts"],"categories":["ai-security-audit-playbook"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/edmund-xl/ai-security-audit-playbook/smart-contract-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add edmund-xl/ai-security-audit-playbook","source_repo":"https://github.com/edmund-xl/ai-security-audit-playbook","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,649 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:44.286Z","embedding":null,"createdAt":"2026-05-18T13:21:29.891Z","updatedAt":"2026-05-18T19:13:44.286Z","lastSeenAt":"2026-05-18T19:13:44.286Z","tsv":"'-001':111 '/echidna':330 '1':44,291 '2':49,294 '3':53,301 '4':57,313 '5':61,322 '6':65,341 '7':78 'access':68 'account':15,55,92,255 'affect':123,389 'agent':220,374 'agent-tool':219,373 'approv':207 'arithmet':72 'ask':203 'asset':46 'assumpt':321 'audit':4,9,31,34,172,347 'audit-on':171,346 'auth':213 'authz':273,367 'auto':90,136,146,183,287,402 'auto-fix':89,145 'auto-merg':182,286 'backend':272 'behavior':222 'boundari':170,304 'busi':70 'canon':105,380 'case':75 'categori':122,388 'caus':126,392 'chang':227 'check':66,340 'ci/cd':275 'code':124,190,390 'commit':353 'condit':159 'confid':40,118,387 'confirm':324 'contract':3,26,30,36 'control':69 'critic':113 'custodi':97 'custody-of-fund':96 'data':308 'default':175 'defi':13,253 'depend':60 'diff':297 'edg':74 'english':32 'erc20':73 'evid':131,315,397 'evm':12,252 'execut':178 'explicit':102,164,200,205 'exploit':127,179,281,361,393 'f':110 'file':226 'find':80,100,106,317,381,384 'finish':238 'fix':91,133,137,147,328,399,403 'fixtur':299 'format':107,382 'foundry/echidna':82 'fund':99,216 'futur':234 'future-phas':233 'fuzz':333 'govern':93,215 'guardrail':151 'high':39,114,119,211 'high-confid':38 'high-risk':210 'human':103,141,206 'iam':214,366 'id':109 'idea':84 'identifi':45,50,54,58,62 'impact':130,312,396 'inform':117 'invari':77,332 'issu':42,325 'keep':152 'layout':339 'legal':25 'logic':71 'low':116,121 'manag':48 'medium':115,120 'merg':184,288,359 'minim':132,327,398 'mock':336 'model':56 'need':140 'note':148,406 'oper':150,306 'oracl':14,59,254 'output':79 'patch':209,351 'path':128,394 'pattern':64 'perform':225 'phase':235 'pr':357 'precondit':129,309,395 'preserv':167 'privat':188 'privileg':51,305 'project':168 'prompt':263 'provid':165 'purpos':33 'push':355 'question':319 'reentranc':16,67,256 'regress':134,331,400 'report':223 'repositori':198 'request':202 'residu':228 'review':27,142,266,270,276,377 'risk':19,212,229 'role':52 'root':125,391 'rule':86 'safe':139 'safeti':85,169 'scan':196 'scope':166 'secret':192,283,364 'secur':41,311 'select':104 'sensit':307 'sever':112,386 'skill':7,154,242,264,278 'skill-smart-contract-audit' 'skip':232 'smart':2,29,35 'smart-contract-audit':1,28 'solid':10,250 'sourc':189 'source-edmund-xl' 'state':157 'storag':338 'suitabl':138,404 'termin':217,371 'test':83,135,401 'token/callback':335 'tool':221,375 'topic-agent-skills' 'topic-audit' 'topic-chatgpt' 'topic-codex' 'topic-devsecops' 'topic-mcp' 'topic-security' 'topic-smart-contracts' 'trigger':158 'trust':303 'unrel':197 'upgrad':18,63,94,257 'upload':187 'use':5,22 'user':162,201 'v0.6':149 'valid':224 'vyper':11,251 'within':155 'without':101,199 'work':236 'workflow':43,298 'yaml':108 '上传私有源码或':282 '不':350,352,354,358 '不创建':356 '不要打印':363 '不要执行':360 '不要把这个':277 '不要用于法律合同':269 '不要访问生产系统':362 '不适用场景':268 '中文':239 '为':323 '但只读取完成任务所需的文件':296 '使用':379 '使用这个':241 '修复建议和回归测试组织成可复核的安全输出':247 '允许查看的材料和不能触碰的范围':293 '先说明范围差异':261 '只报告有':314 '和':310,337,405 '和治理':258 '如果请求超出这些边界':260 '它应该帮助审查者把输入边界':244 '安全规则':344 '完成后报告验证输出':342 '并规划foundri':329 '并选择更合适的':262 '当作自动扫描整个仓库':279 '影响':246 '恶意':334 '或':320 '或不涉及合约的':274 '或人工':265 '或文档':300 '执行':280 '执行或':372 '提出':326 '操作流程':290 '收集必要上下文':295 '明确用户给出的目标':292 '普通':271 '未经明确授权':349 '权限的修复必须进入人工':376 '模型':368 '残余风险和需要人工确认的事项':343 '每个':383 '治理':370 '涉及':365 '的':316 '的许可':289 '目的':240 '缺少上下文时写':318 '自动推送或':285 '自动提交':284 '触发条件':248 '识别':302 '资金':369 '资金风险':259 '路径':267 '输出要求':378 '进行智能合约安全审计':243 '适用于':249 '都要包含':385 '风险证据':245 '默认':345","prices":[{"id":"f574e3d3-a00f-4867-b8fd-456a8bbe3118","listingId":"e49dce79-4c20-484a-aca9-73c9c420510d","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"edmund-xl","category":"ai-security-audit-playbook","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:29.891Z"}],"sources":[{"listingId":"e49dce79-4c20-484a-aca9-73c9c420510d","source":"github","sourceId":"edmund-xl/ai-security-audit-playbook/smart-contract-audit","sourceUrl":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/smart-contract-audit","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:29.891Z","lastSeenAt":"2026-05-18T19:13:44.286Z"}],"details":{"listingId":"e49dce79-4c20-484a-aca9-73c9c420510d","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"edmund-xl","slug":"smart-contract-audit","github":{"repo":"edmund-xl/ai-security-audit-playbook","stars":7,"topics":["agent-skills","audit","chatgpt","codex","devsecops","mcp","security","smart-contracts"],"license":"mit","html_url":"https://github.com/edmund-xl/ai-security-audit-playbook","pushed_at":"2026-05-13T02:30:26Z","description":"Local-first, audit-only security review playbook for AI coding agents: prompts, skills, read-only MCP, findings, and regression tests.","skill_md_sha":"5d8f62754bd30bc844efddae80caa5dcbb570c90","skill_md_path":"skills/smart-contract-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/smart-contract-audit"},"layout":"multi","source":"github","category":"ai-security-audit-playbook","frontmatter":{"name":"smart-contract-audit","description":"Use this skill to audit Solidity, Vyper, EVM, DeFi, oracle, accounting, reentrancy, and upgradeability risks. Do not use it for legal contract review."},"skills_sh_url":"https://skills.sh/edmund-xl/ai-security-audit-playbook/smart-contract-audit"},"updatedAt":"2026-05-18T19:13:44.286Z"}}