中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 22/100
Last scan:1 day ago Rescan
22 /100
Auto Bug Finder
Iterative LLM-inspired Solidity smart contract security scanner that runs multi-tool analysis (Slither, Hardhat) in sprints to find and fix bugs
Legitimate Solidity security scanner that runs standard development tools (Hardhat, Slither) with undocumented auto-fix patching capability.
Skill NameAuto Bug Finder
Duration31.4s
Enginepi
Safe to install
Add explicit declaration of shell execution (exec) and filesystem write access for patch application to SKILL.md. Consider restricting auto-fix to a dry-run mode.

Findings 3 items

Severity Finding Location
Medium
Shell execution not declared in documentation Doc Mismatch
SKILL.md describes the tool's purpose and outputs but never explicitly mentions that it uses Node.js child_process.exec/execSync to run hardhat and slither commands. While the tools mentioned are standard dev tooling, the execution mechanism should be declared.
const { execSync, exec } = require('child_process');
→ Add to SKILL.md: 'Requires shell execution to run npx hardhat compile, npx hardhat test, slither, and npx hardhat coverage'
 auto-bug-finder.js:36
Medium
Auto-fix patch application modifies source files without clear warning Doc Mismatch
The script applies automatic fixes to the contract source file (line 460: fs.writeFileSync(CONTRACT_PATH, contractSource)) creating .bak backups. SKILL.md describes 'generating patches' but does not clearly state it writes back to the original contract source.
fs.writeFileSync(CONTRACT_PATH, contractSource);
→ Add to SKILL.md: 'Auto-fixes are applied directly to the contract source with .bak backups created. The skill modifies the contract file when applying patches.'
 auto-bug-finder.js:460
Low
Hardcoded project directory assumptions Sensitive Access
Script uses hardcoded path resolution (path.resolve(__dirname, '..')) and expects a specific project structure (contracts/AgentEscrow.sol, test/AgentEscrow.test.js). This could cause issues in different project layouts.
const PROJECT_DIR = path.resolve(__dirname, '..');
→ Document the expected project structure or make paths configurable via CONFIG object
 auto-bug-finder.js:34
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned auto-bug-finder.js:55 reads CONTRACT_PATH via fs.readFileSync
Filesystem NONE WRITE ✗ Violation auto-bug-finder.js:460-462 writes contract source and .bak backups
Shell NONE WRITE ✗ Violation auto-bug-finder.js:36-48 uses exec/execSync for npx hardhat, slither commands
Network NONE NONE No network calls observed
Environment NONE NONE process.env spread only, no harvesting
credential_access NONE NONE No sensitive path or credential access

File Tree

2 files · 44.2 KB · 1226 lines
JavaScript 1f · 1141L Markdown 1f · 85L
├─ 📜 auto-bug-finder.js JavaScript 1141L · 41.0 KB
└─ 📝 SKILL.md Markdown 85L · 3.1 KB

Security Positives

✓ No credential harvesting or sensitive file access
✓ No obfuscation, base64 execution, or anti-analysis techniques
✓ Uses standard, legitimate security tools (Hardhat, Slither)
✓ Creates backups before patching (.bak files)
✓ Has a max sprint limit (10) as a safety mechanism
✓ Will revert changes if new test failures are introduced
✓ False positive detection built in (checkSlitherFalsePositive)
✓ No network exfiltration or C2 communication
✓ No reverse shell, RCE, or malicious code execution