audit-reports

Generate formatted security audit findings for Web3 platforms (Sherlock, Code4rena, Cantina). Use when user needs to report vulnerabilities, format findings, or create audit reports for smart contract security contests.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "audit-reports" with this command: npx skills add fethallaheth/audit-reports-skill/fethallaheth-audit-reports-skill-audit-reports

Audit Reports

Generate properly formatted security vulnerability reports for major Web3 audit contest platforms. Each platform has specific formatting requirements and judging criteria.

Supported Platforms

PlatformFormatSeverity Levels
SherlockGitHub IssuesHIGH, MEDIUM
Code4renaSubmission FormHigh (3), Medium (2), QA (1)
CantinaLightChaserHigh, Medium, Low, Info

Quick Start

When user requests to generate a finding report:

  1. Ask which platform (default: Code4rena format)
  2. Collect vulnerability details: title, severity, description, affected code, PoC, remediation
  3. Generate formatted report using the appropriate platform template
  4. Output the complete markdown ready for submission

Platform Resources

Sherlock

  • guides/sherlock/ - Official judging guidelines and severity criteria
  • examples/sherlock.md - Complete finding example
  • platforms/sherlock/template.md - Report template with invalid issues checklist

Code4rena

  • guides/code4rena/ - Risk ratings, PoC rules, QA report format
  • examples/code4rena.md - Complete finding example
  • platforms/code4rena/template.md - Submission format

Cantina

  • guides/cantina/ - Severity matrix, duplication rules, PoC requirements
  • examples/cantina.md - Complete finding example
  • platforms/cantina/template.md - Detailed submission template

Severity Quick Reference

Sherlock

SeverityCriteria
HIGH>1% AND >$10 loss, direct without extensive conditions
MEDIUM>0.01% AND >$10 loss, with constraints OR breaks core functionality
DOS>1 week locked = Medium; + time-sensitive = High

Code4rena

Risk RatingCriteria
3 - HighAssets stolen/lost/compromised (directly or via valid attack path)
2 - MediumAssets not at direct risk, but protocol function/availability impacted
1 - QANo assets at risk; includes Low + Governance/Centralization

Cantina

SeverityImpactLikelihood
HighLoss of funds / Breaks core functionalityHigh
MediumDOS / Minor fund loss / Breaks non-coreMedium
LowNo assets at riskAny

Common Invalid Issues (All Platforms)

  • Gas optimizations
  • Incorrect event values (no broader impact)
  • Zero address checks
  • User input validation only
  • Admin mistakes (common sense)
  • Approve/safeApprove front-running (Code4rena: explicitly invalid)
  • Weird/non-standard tokens (unless explicitly in scope)
  • View function errors (unused within protocol)

Best Practices

  1. Clear Title - Concise, describes vulnerability type
  2. Impact First - Judges need to quickly understand risk
  3. Root Cause - Explain WHY, not just WHAT
  4. Code References - Include file:line format (e.g., src/Vault.sol:142)
  5. Working PoC - Executable test demonstrating the issue
  6. Clear Remediation - Specific code-level fix suggestions

Workflow Checklist

  • Identify target platform
  • Verify severity matches platform guidelines
  • Ensure PoC is executable
  • Include specific code references
  • Provide actionable remediation
  • Review against platform's judging criteria

Resources

  • examples/ - Complete finding examples for each platform
  • guides/ - Official judging criteria and severity guides
  • platforms/ - Report templates and checklists

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

compliance-evidence-assembler

把审计所需证据整理成目录、清单和缺失项,便于后续评审。;use for compliance, evidence, audit workflows;do not use for 伪造证据, 替代正式审计结论.

Archived SourceRecently Updated
--
52yuanchangxing
Security

skillguard-hardened

Security guard for OpenClaw skills, developed and maintained by rose北港(小红帽 / 猫猫帽帽). Audits installed or incoming skills with local rules plus Zenmux AI intent review, then recommends pass, warn, block, or quarantine.

Archived SourceRecently Updated
--
2404589803
Security

api-contract-auditor

审查 API 文档、示例和字段定义是否一致,输出 breaking change 风险。;use for api, contract, audit workflows;do not use for 直接改线上接口, 替代契约测试平台.

Archived SourceRecently Updated
--
52yuanchangxing