clarity-audit
Clarity Audit Skill
Structured security audit for Clarity smart contracts. Produces a comprehensive review covering correctness, security vulnerabilities, design concerns, and deployment readiness. Designed to work both as a standalone skill (structured JSON output) and as the foundation for the clarity-expert agent (open-ended reasoning).
Usage
This is a doc-only skill. Agents read this file to understand the audit framework and invoke it through the skill framework or clarity-expert agent. The CLI interface below documents the planned implementation.
bun run clarity-audit/clarity-audit.ts <subcommand> [options]
Subcommands
audit
Run a full structured audit on a Clarity contract.
bun run clarity-audit/clarity-audit.ts audit --source <path-to-file.clar> [--contract-id <deployed-contract-id>] [--severity-threshold <level>]
Options:
--source(required) — Path to the.clarsource file to audit--contract-id(optional) — Deployed contract ID for on-chain verification; enables cross-referencing deployed vs source--severity-threshold(optional) — Minimum severity to report:critical,high,medium,low(default:low)
Output:
{
"file": "contracts/my-contract.clar",
"summary": "Token transfer contract with admin controls and minting capability",
"verdict": "CONDITIONAL_PASS",
"riskLevel": "MEDIUM",
"stats": {
"publicFunctions": 5,
"readOnlyFunctions": 3,
"privateFunctions": 2,
"maps": 2,
"dataVars": 1,
"constants": 8
},
"whatWorksCorrectly": [
"Transfer function uses try! for error propagation",
"Admin functions check tx-sender against owner constant",
"Events follow structured notification/payload format"
],
"bugs": [
{
"severity": "high",
"title": "Unbounded mint allows infinite token supply",
"location": {"function": "mint", "line": 45},
"description": "The mint function has no supply cap check. Any admin can mint unlimited tokens.",
"recommendation": "Add MAX_SUPPLY constant and check (< (+ current-supply amount) MAX_SUPPLY) before minting",
"category": "logic"
}
],
"designConcerns": [
{
"severity": "medium",
"title": "Single admin with no succession plan",
"description": "CONTRACT_OWNER is set at deploy time with no transfer mechanism",
"recommendation": "Add set-admin function with two-step transfer (propose + accept)"
}
],
"gasAnalysis": {
"mostExpensiveFunction": "batch-transfer",
"concern": "fold over list of 200 recipients may approach block limits"
}
}
quick-check
Run a lightweight scan focused on critical and high severity issues only.
bun run clarity-audit/clarity-audit.ts quick-check --source <path-to-file.clar>
Options:
--source(required) — Path to the.clarsource file
Output:
{
"file": "contracts/my-contract.clar",
"criticalIssues": 0,
"highIssues": 1,
"quickVerdict": "REVIEW_NEEDED",
"findings": [
{
"severity": "high",
"title": "Unbounded mint allows infinite token supply",
"line": 45,
"fix": "Add MAX_SUPPLY cap"
}
]
}
function-review
Audit a single function in detail with color-coded risk assessment.
bun run clarity-audit/clarity-audit.ts function-review --source <path-to-file.clar> --function <function-name>
Options:
--source(required) — Path to the.clarsource file--function(required) — Function name to review
Output:
{
"function": "transfer",
"visibility": "public",
"riskColor": "ORANGE",
"riskReason": "Token transfer with external call",
"parameters": [
{"name": "amount", "type": "uint", "validated": true},
{"name": "to", "type": "principal", "validated": false}
],
"checks": [
{"check": "Input validation", "status": "partial", "detail": "amount checked but recipient not validated"},
{"check": "Proper sender check", "status": "pass", "detail": "Uses tx-sender correctly"},
{"check": "Error propagation", "status": "pass", "detail": "Uses try! for ft-transfer?"},
{"check": "Post-condition safe", "status": "warn", "detail": "No post-condition hints in contract"},
{"check": "Reentrancy safe", "status": "pass", "detail": "State changes before external calls"}
],
"recommendation": "Add recipient validation (not contract principal) if transfers should be restricted to standard principals"
}
Risk Color Framework
| Color | Meaning | Examples |
|---|---|---|
| GREEN | Harmless read-only | get-balance, get-stats |
| YELLOW | State changes with proper guards | check-in with auth, vote with snapshot |
| ORANGE | Token transfers, external calls | transfer, swap, any contract-call? |
| RED | Critical — admin functions, treasury access | withdraw, mint, set-admin, upgrade |
Audit Categories
| Category | What it covers |
|---|---|
logic |
Incorrect behavior, missing checks, wrong conditions |
security |
Reentrancy, overflow, access control bypass, locked funds |
design |
Architecture issues, missing features, upgrade concerns |
gas |
Functions that may exceed block cost limits |
standards |
SIP compliance, event format, naming conventions |
Severity Levels
| Level | Criteria |
|---|---|
critical |
Funds at risk, contract can be bricked, exploitable by anyone |
high |
Significant logic errors, access control issues, economic attacks |
medium |
Non-critical issues that affect functionality or user experience |
low |
Best practice violations, code quality, documentation gaps |
Notes
- This skill produces structured output for automated processing
- For open-ended security reasoning and multi-contract analysis, use the
clarity-expertagent - The audit is static analysis only — it does not execute the contract
- Always combine with
clarity-checkfor pre-deployment validation - For production-critical contracts, supplement with RV fuzz testing via
clarity-test-scaffold - Reference: pbtc21/publisher-succession#1 for example audit output
More from aibtcdev/skills
arxiv-research
Fetch and compile arXiv papers on LLMs, autonomous agents, and AI infrastructure into scored, grouped research digests. Stores digests at ~/.aibtc/arxiv-research/digests/. No API key required.
178aibtc-news
aibtc.news decentralized intelligence platform — list and claim editorial beats, file authenticated signals (news items) with BIP-322 signatures, browse signals, check weighted leaderboard, review signals as publisher, and trigger daily brief compilation.
166aibtc-news-correspondent
Correspondent for aibtc.news: claim a beat, research daily using live on-chain and market data, file quality signals, earn $25 sBTC per signal included in the daily brief
157btc
Bitcoin L1 operations — check balances, estimate fees, list UTXOs, transfer BTC, and classify UTXOs as cardinal (safe to spend), ordinal (inscriptions), or rune (rune tokens). Data sourced from mempool.space and the Unisat API.
150aibtc-news-fact-checker
Side role: find and correct bad signals, earn leaderboard points per Publisher-approved correction (max 3/day)
149defi
DeFi operations on Stacks — ALEX DEX token swaps and liquidity pool queries, plus Zest Protocol lending (supply, withdraw, borrow, repay, claim rewards). All operations are mainnet-only. Write operations require an unlocked wallet.
148