clarity-audit
Original:🇺🇸 English
Translated
Clarity smart contract security audit — structured review covering correctness, security vulnerabilities, design concerns, and deployment readiness.
9installs
Sourceaibtcdev/skills
Added on
NPX Install
npx skill4agent add aibtcdev/skills clarity-auditTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →Clarity Audit Skill
Structured security audit for Clarity smart contracts. Produces a comprehensive review covering correctness, security vulnerabilities, design concerns, and deployment readiness. Designed to work both as a standalone skill (structured JSON output) and as the foundation for the agent (open-ended reasoning).
clarity-expertUsage
This is a doc-only skill. Agents read this file to understand the audit framework and invoke it through the skill framework or agent. The CLI interface below documents the planned implementation.
clarity-expertbun run clarity-audit/clarity-audit.ts <subcommand> [options]Subcommands
audit
Run a full structured audit on a Clarity contract.
bun run clarity-audit/clarity-audit.ts audit --source <path-to-file.clar> [--contract-id <deployed-contract-id>] [--severity-threshold <level>]Options:
- (required) — Path to the
--sourcesource file to audit.clar - (optional) — Deployed contract ID for on-chain verification; enables cross-referencing deployed vs source
--contract-id - (optional) — Minimum severity to report:
--severity-threshold,critical,high,medium(default:low)low
Output:
json
{
"file": "contracts/my-contract.clar",
"summary": "Token transfer contract with admin controls and minting capability",
"verdict": "CONDITIONAL_PASS",
"riskLevel": "MEDIUM",
"stats": {
"publicFunctions": 5,
"readOnlyFunctions": 3,
"privateFunctions": 2,
"maps": 2,
"dataVars": 1,
"constants": 8
},
"whatWorksCorrectly": [
"Transfer function uses try! for error propagation",
"Admin functions check tx-sender against owner constant",
"Events follow structured notification/payload format"
],
"bugs": [
{
"severity": "high",
"title": "Unbounded mint allows infinite token supply",
"location": {"function": "mint", "line": 45},
"description": "The mint function has no supply cap check. Any admin can mint unlimited tokens.",
"recommendation": "Add MAX_SUPPLY constant and check (< (+ current-supply amount) MAX_SUPPLY) before minting",
"category": "logic"
}
],
"designConcerns": [
{
"severity": "medium",
"title": "Single admin with no succession plan",
"description": "CONTRACT_OWNER is set at deploy time with no transfer mechanism",
"recommendation": "Add set-admin function with two-step transfer (propose + accept)"
}
],
"gasAnalysis": {
"mostExpensiveFunction": "batch-transfer",
"concern": "fold over list of 200 recipients may approach block limits"
}
}quick-check
Run a lightweight scan focused on critical and high severity issues only.
bun run clarity-audit/clarity-audit.ts quick-check --source <path-to-file.clar>Options:
- (required) — Path to the
--sourcesource file.clar
Output:
json
{
"file": "contracts/my-contract.clar",
"criticalIssues": 0,
"highIssues": 1,
"quickVerdict": "REVIEW_NEEDED",
"findings": [
{
"severity": "high",
"title": "Unbounded mint allows infinite token supply",
"line": 45,
"fix": "Add MAX_SUPPLY cap"
}
]
}function-review
Audit a single function in detail with color-coded risk assessment.
bun run clarity-audit/clarity-audit.ts function-review --source <path-to-file.clar> --function <function-name>Options:
- (required) — Path to the
--sourcesource file.clar - (required) — Function name to review
--function
Output:
json
{
"function": "transfer",
"visibility": "public",
"riskColor": "ORANGE",
"riskReason": "Token transfer with external call",
"parameters": [
{"name": "amount", "type": "uint", "validated": true},
{"name": "to", "type": "principal", "validated": false}
],
"checks": [
{"check": "Input validation", "status": "partial", "detail": "amount checked but recipient not validated"},
{"check": "Proper sender check", "status": "pass", "detail": "Uses tx-sender correctly"},
{"check": "Error propagation", "status": "pass", "detail": "Uses try! for ft-transfer?"},
{"check": "Post-condition safe", "status": "warn", "detail": "No post-condition hints in contract"},
{"check": "Reentrancy safe", "status": "pass", "detail": "State changes before external calls"}
],
"recommendation": "Add recipient validation (not contract principal) if transfers should be restricted to standard principals"
}Risk Color Framework
| Color | Meaning | Examples |
|---|---|---|
| GREEN | Harmless read-only | |
| YELLOW | State changes with proper guards | |
| ORANGE | Token transfers, external calls | |
| RED | Critical — admin functions, treasury access | |
Audit Categories
| Category | What it covers |
|---|---|
| Incorrect behavior, missing checks, wrong conditions |
| Reentrancy, overflow, access control bypass, locked funds |
| Architecture issues, missing features, upgrade concerns |
| Functions that may exceed block cost limits |
| SIP compliance, event format, naming conventions |
Severity Levels
| Level | Criteria |
|---|---|
| Funds at risk, contract can be bricked, exploitable by anyone |
| Significant logic errors, access control issues, economic attacks |
| Non-critical issues that affect functionality or user experience |
| Best practice violations, code quality, documentation gaps |
Notes
- This skill produces structured output for automated processing
- For open-ended security reasoning and multi-contract analysis, use the agent
clarity-expert - The audit is static analysis only — it does not execute the contract
- Always combine with for pre-deployment validation
clarity-check - For production-critical contracts, supplement with RV fuzz testing via
clarity-test-scaffold - Reference: pbtc21/publisher-succession#1 for example audit output