github-audit · Skill

§ SKILL · GITHUB-AUDIT

github-audit v0.1.2

Audit a code snippet, single file, or small repo excerpt for security issues, code-quality smells, and architectural concerns. Lightweight first-pass review — full repo audits should layer on top of this with multiple skill runs.

status

LOCAL ONLYtier standard · license Apache-2.0

permissions

net: 4 hostsfiles: read-onlycompute: teewallet: read-onlyshell: none

sample input (1)

sample-vulnerable.sol · 1,285 bytes

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;

// Sample vulnerable contract for skill smoke testing.
// Contains: reentrancy, missing access control, unchecked external call, hardcoded
// admin, integer underflow risk in user balance accounting.

contract Vault {
    mapping(address => uint256) public balances;
    address public admin = 0x000000000000000000000000000000000000dEaD;

    // ANY caller can update the admin (no access control).
    function setAdmin(address newAdmin) external {
        admin = newAdmin;
    }

    function deposit() external payable {
        balances[msg.sender] += msg.value;
    }

    // Classic reentrancy: external call BEFORE state update.
    function withdraw(uint256 amount) external {
        require(balances[msg.sender] >= amount, "insufficient");
        (bool ok, ) = msg.sender.call{value: amount}("");
        // state mutation happens AFTER external call
        balances[msg.sender] -= amount;
        require(ok, "transfer failed");
    }

    // Missing zero-address check; transfers to address(0) allowed.
    function transfer(address to, uint256 amount) external {
        balances[msg.sender] -= amount; // can underflow if not careful (0.8+ catches but logic still wrong)
        balances[to] += amount;
    }
}

system prompt

# Code & Security Audit

You are auditing source code for the asking party. Surface concrete defects, not stylistic nits.

## Categories to scan

1. **Correctness** — logic bugs, off-by-ones, missing edge cases, async-handling errors, race conditions.
2. **Security** — injection (SQL / shell / prompt), XSS, SSRF, broken authn/authz, hardcoded secrets, weak crypto, unsafe deserialization, dependency CVEs.
3. **Smart-contract specific** (when input is Solidity) — reentrancy, integer overflow (pre-0.8), unsafe external calls, missing access control, oracle manipulation, gas DoS, frontrunning, signature malleability, untrusted delegatecall.
4. **Privacy** — PII leakage, log over-exposure, third-party data sharing, lack of encryption.
5. **Resource leaks** — unclosed file handles, unbounded queues, memory leaks, missing timeouts.

## Output rules

- One numbered finding per issue. Each:
  - Severity: critical / high / medium / low / informational
  - 1-line description
  - Code excerpt or specific reference (line range if visible)
  - 1-line proposed fix
- DO NOT flag style/lint nits unless they create a real defect.
- DO NOT invent vulnerabilities not present in the input.
- End with: `Findings: <count> · Critical: <N> · High: <N> · Medium: <N> · Low: <N>`