ReddRadar
Agent skill
solidity-auditor
Professional-grade Solidity smart contract security auditor. Performs comprehensive audits or targeted reviews (security vulnerabilities, gas optimization, storage optimization, code architecture, DeFi protocol analysis). Use this skill when users request smart contract audits, security reviews, vulnerability assessments, gas/storage optimization analysis, code quality reviews, or when analyzing Solidity code for any security or quality concerns. Supports all Solidity versions with version-specific vulnerability detection. Based on OWASP Smart Contract Top 10 (2025) and real-world exploit patterns.
Install this agent skill to your Project
npx add-skill https://github.com/schwepps/skills/tree/main/solidity-auditor
SKILL.md
Solidity Smart Contract Auditor
A professional-grade smart contract audit skill covering security vulnerabilities, gas optimization, storage patterns, and code architecture. Adapted to Solidity version specifics.
Audit Types
Determine the audit type based on user request:
| User Request | Audit Type | Primary Reference |
|---|---|---|
| "Full audit", "comprehensive review" | Full Audit | All references |
| "Security audit", "vulnerability scan" | Security Focused | references/security-checklist.md |
| "Gas optimization", "reduce gas costs" | Gas Optimization | references/gas-optimization.md |
| "Storage optimization", "storage patterns" | Storage Optimization | references/storage-optimization.md |
| "Code review", "architecture review" | Architecture Review | references/architecture-review.md |
| "DeFi audit", "protocol review" | DeFi Protocol | Security + Architecture references |
Core Audit Workflow
Phase 1: Preparation
-
Identify Solidity Version: Check pragma statement. Read
references/version-specific.mdfor version-specific considerations:- Pre-0.8.0: Check for SafeMath usage, arithmetic vulnerabilities
- 0.8.0+: Review
uncheckedblocks, check custom errors usage
-
Understand Scope:
- List all contracts, interfaces, libraries
- Identify external dependencies (OpenZeppelin, etc.)
- Note inheritance hierarchy
- Document entry points (external/public functions)
-
Gather Context: Ask if not provided:
- Protocol purpose and intended behavior
- Deployment chain(s)
- Expected user flows
- Admin roles and privileges
Phase 2: Static Analysis
-
Run automated checks mentally using patterns from the security checklist:
- Access control patterns
- State-changing operations flow (checks-effects-interactions)
- External call patterns
- Arithmetic operations (especially in
uncheckedblocks)
-
Map attack surface:
- External/public functions
- Functions handling ETH/tokens
- Functions with access control
- Upgrade mechanisms
Phase 3: Vulnerability Assessment
Read references/security-checklist.md and evaluate each category:
Critical Priority (check first):
- Access Control Vulnerabilities (OWASP SC-01) - $953M+ in losses
- Logic Errors (OWASP SC-02) - $64M+ in losses
- Reentrancy (OWASP SC-03) - $36M+ in losses
High Priority: 4. Flash Loan Attack Vectors (OWASP SC-04) 5. Input Validation (OWASP SC-05) 6. Oracle Manipulation (OWASP SC-06) 7. Unchecked External Calls (OWASP SC-07)
Medium Priority: 8. Integer Overflow/Underflow (version-dependent) 9. Denial of Service vectors 10. Front-running vulnerabilities
Phase 4: Optimization Analysis (if requested)
For gas optimization: Read references/gas-optimization.md
For storage optimization: Read references/storage-optimization.md
Phase 5: Report Generation
Use the template in references/report-template.md to structure findings.
Severity Classification
| Severity | Criteria | Action |
|---|---|---|
| Critical | Direct fund loss possible, no user interaction needed | Immediate fix required, do not deploy |
| High | Fund loss possible with specific conditions, significant impact | Must fix before deployment |
| Medium | Limited impact, unlikely exploitation, or governance issue | Should fix, assess risk |
| Low | Minor issue, best practice violation | Recommended fix |
| Informational | Code quality, gas optimization, suggestions | Optional improvement |
Quick Reference: Top Attack Vectors (2024-2025)
From OWASP Smart Contract Top 10 (2025) with real losses:
- Access Control ($953.2M): Missing/incorrect modifiers, exposed admin functions
- Logic Errors ($63.8M): Flawed business logic, incorrect calculations
- Reentrancy ($35.7M): State updates after external calls
- Flash Loans ($33.8M): Price manipulation, governance attacks
- Input Validation ($14.6M): Missing bounds checks, unchecked parameters
- Oracle Manipulation ($8.8M): TWAP manipulation, stale prices
Output Guidelines
Always provide:
- Clear finding title with severity
- Location: Contract name, function, line numbers
- Description: What the issue is
- Impact: Potential consequences
- Proof of Concept: How it could be exploited (when applicable)
- Recommendation: Specific fix with code example
Format recommendations as actionable code changes when possible.
Reference Files
Load these as needed based on audit type:
references/security-checklist.md- Complete vulnerability checklist with detection patternsreferences/gas-optimization.md- Gas optimization techniques and patternsreferences/storage-optimization.md- Storage layout and optimizationreferences/architecture-review.md- Code architecture best practicesreferences/version-specific.md- Solidity version considerationsreferences/report-template.md- Professional audit report template
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
schwepps/skills
seo-technical-audit
Professional technical SEO audit that analyzes crawlability, Core Web Vitals, site architecture, mobile readiness, security, structured data, and AI crawler configuration. Use when auditing websites for technical SEO issues, diagnosing indexation problems, or preparing comprehensive SEO reports.
schwepps/skills
suno-music-creator
Professional music creation with Suno AI V5 and Suno Studio. Use this skill when users want to create songs, playlists, corporate anthems, jingles, workout music, ambient soundscapes, or any AI-generated music. Triggers on requests mentioning Suno, music creation, playlist generation, song composition, or specific music projects like "create a track", "make a playlist", "compose music for", "corporate anthem", "workout mix", or any music production task.
schwepps/skills
seo-content-audit
Comprehensive on-page SEO and content quality audit covering title tags, meta descriptions, header structure, keyword optimization, E-E-A-T signals, readability, and content scoring. Use when evaluating content for SEO performance, reviewing articles before publication, or creating content improvement recommendations.
schwepps/skills
geo-aeo-optimization
Optimize content for AI search engines (ChatGPT, Perplexity, Claude, Gemini) and featured snippets. Covers Generative Engine Optimization (GEO), Answer Engine Optimization (AEO), E-E-A-T signals, and content structuring for maximum AI citation probability. Use when optimizing content for AI visibility or auditing AI search readiness.
schwepps/skills
linkedin-roast
Hilarious LinkedIn profile roasting skill that delivers savage but friendly comedy burns based on someone's profile, activities, skills, experience, or lack thereof. Use when users ask to roast a LinkedIn profile, make fun of someone's professional presence, or want a humorous critique of LinkedIn content. Triggers on requests like "roast this LinkedIn", "make fun of this profile", "roast me", "give me a LinkedIn roast", "flame this profile", or any request for comedic mockery of a professional profile.
schwepps/skills
install-skill
This skill should be used when the user asks to "install a skill", "add a skill to the project", "unpack a skill", or "integrate a new skill". Automates the full workflow of unpacking .skill packages from dist/ and registering them in the marketplace.
Didn't find tool you were looking for?