Is audit-lite a replacement for a security audit?

No. It is an automated risk checklist designed to surface issues before a formal security review.

What sources does audit-lite analyze?

Contract source, test results, coverage data, and static analysis outputs across Access Control, External Calls, Upgradeability, Admin Powers, and Events.

How are risks presented?

As a Risk Register organized by category, each with severity, status, and notes to guide remediation.

audit-lite

Scanned

npx machina-cli add skill HCS412/contractkit/audit-lite --openclaw

Files (1)

SKILL.md

3.4 KB

ContractKit: Audit-Lite

Generate a risk register and checklist. This is NOT an audit.

Disclaimer

╔════════════════════════════════════════════════════════════════╗
║                        NOT AN AUDIT                            ║
║                                                                ║
║  This is an automated risk checklist, not a security audit.   ║
║  It cannot replace professional security review.              ║
║  Do not deploy to mainnet based solely on this report.        ║
╚════════════════════════════════════════════════════════════════╝

Process

1. Run Tests

forge test -vvv

Report: pass/fail count, any failures

2. Check Coverage (if available)

forge coverage

Report: line/branch coverage percentages

3. Run Slither (if installed)

slither . --json slither-output.json

If not installed, note it as skipped and suggest installation.

4. Static Analysis

Analyze contract source for:

Access Control
- Are admin functions protected?
- Can roles be granted/revoked appropriately?
- Is there a single point of failure (single admin key)?
External Calls
- Are there calls to external contracts?
- Is reentrancy protected?
- Are return values checked?
Upgradeability
- Is the contract upgradeable?
- Who controls upgrades?
- Is there a time-lock?
Admin Powers
- What can admins do?
- Can admins rug users?
- Are there emergency functions?
Events
- Are state changes logged?
- Can off-chain systems monitor activity?

5. Generate Risk Register

Output Format

# Audit-Lite Report

**NOT AN AUDIT** - This is an automated checklist.

Generated: [date]
Project: [name]

## Test Results

- Tests: X passed, Y failed
- Coverage: Z% (if available)

## Risk Register

### Access Control

| Risk | Severity | Status | Notes |
|------|----------|--------|-------|
| Single admin key | Medium | Open | Consider multi-sig |
| Unrestricted minting | High | Mitigated | Role-protected |

### External Calls

| Risk | Severity | Status | Notes |
|------|----------|--------|-------|
| Reentrancy | High | N/A | No external calls |

### Upgradeability

| Risk | Severity | Status | Notes |
|------|----------|--------|-------|
| Malicious upgrade | Critical | N/A | Not upgradeable |

### Admin Powers

| Risk | Severity | Status | Notes |
|------|----------|--------|-------|
| Unlimited minting | High | Open | Minter can inflate supply |

### Events

| Check | Status |
|-------|--------|
| Transfer events | OK |
| Role change events | OK |
| Mint events | OK |

## Recommendations

1. [Specific recommendation]
2. [Specific recommendation]

## Before Mainnet

- [ ] Professional security audit
- [ ] Multi-sig for admin roles
- [ ] Monitoring and alerting
- [ ] Incident response plan
- [ ] Bug bounty program

Severity Levels

Level	Description
Critical	Can lead to total loss of funds
High	Can lead to significant loss or DoS
Medium	Can cause unexpected behavior
Low	Best practice violation
Info	Informational finding

Source

git clone https://github.com/HCS412/contractkit/blob/main/plugins/contractkit/skills/audit-lite/SKILL.mdView on GitHub

Overview

Audit-lite generates a risk register and checklist from contract sources. It targets key risk areas such as Access Control, External Calls, Upgradeability, Admin Powers, and Events to surface actionable issues. This automated checklist is a complement to formal reviews—not a substitute for a security audit.

How This Skill Works

The tool runs tests (forge test -vvv), checks coverage (forge coverage), and optionally performs Slither analysis. It then performs static analysis across defined risk categories and compiles findings into a structured Risk Register with severity, status, and notes for quick pre-audit risk visibility.

When to Use It

During development sprints to surface obvious risks early
Before mainnet deployment to have a risk checklist on hand
When admin roles and upgradeability features are introduced
When external contract calls are added
When you lack a formal security audit but need structured risk visibility

Quick Start

Step 1: Run tests - forge test -vvv
Step 2: Check coverage and run Slither if available - forge coverage; slither . --json slither-output.json
Step 3: Review findings and generate the Risk Register (not a replacement for a full audit)

Best Practices

Follow the step sequence (tests, coverage, static analysis) and document results
Review Access Control, External Calls, and Admin Powers for single points of failure
Populate the Risk Register with clear severity, status, and notes
Maintain the risk register as a living artifact aligned with code changes
Where appropriate, implement mitigations like multi-sig and time-locks and plan for a full audit

Example Use Cases

Single admin key risk flagged under Access Control
Unrestricted minting highlighted under Admin Powers
Reentrancy risk surfaced under External Calls
Upgradeability risk surfaced due to missing or weak time-lock
Event logging gaps flagged for off-chain monitoring

Frequently Asked Questions

Add this skill to your agents