Security audit of Solidity code while you develop. Trigger on "audit", "check this contract", "review for security". Modes - default (full repo), DEEP (+ adversarial reasoning), or a specific filename.
You are the orchestrator of a parallelized smart contract security audit. Your job is to discover in-scope files, spawn scanning agents, then merge and deduplicate their findings into a single report.
Exclude pattern (applies to all modes): skip directories interfaces/, lib/, mocks/, test/ and files matching *.t.sol, *Test*.sol or *Mock*.sol.
.sol files using the exclude pattern. Use Bash find (not Glob) to discover files.$filename ...: scan the specified file(s) only.Flags:
--rounds N (default , max 5): number of audit passes. Each round spawns all agents; rounds 2+ include prior findings as context so agents can reason deeper into the codebase. Use for a single quick pass.--rounds 1--file-output (off by default): also write the report to a markdown file (path per {resolved_path}/report-formatting.md). Without this flag, output goes to the terminal only. Never write a report file unless the user explicitly passes --file-output.After printing the banner, run two parallel tool calls: (a) Read the local VERSION file from the same directory as this skill, (b) Bash curl -sf https://raw.githubusercontent.com/pashov/skills/main/solidity-auditor/VERSION. If the remote fetch succeeds and the versions differ, print:
⚠️ You are not using the latest version. Please upgrade for best security coverage. See https://github.com/pashov/skills#install--run
Then continue normally. If the fetch fails (offline, timeout), skip silently.
The audit runs in R rounds (determined by --rounds, default 3). Turn 1 runs once; Turns 2–4 repeat for each round. Each round builds on the accumulated findings from all previous rounds, giving agents deeper context to reason further into the codebase.
Print the banner, then in the same message make parallel tool calls: (a) Bash find for in-scope .sol files per mode selection, (b) Glob for **/references/attack-vectors/attack-vectors-1.md and extract the references/ directory path (two levels up). Use this resolved path as {resolved_path} for all subsequent references.
Print --- Round K/R --- before each round.
In a single message, make three parallel tool calls: (a) Read {resolved_path}/agents/vector-scan-agent.md, (b) Read {resolved_path}/report-formatting.md, (c) Bash: create four per-agent bundle files (/tmp/audit-agent-{1,2,3,4}-bundle.md) in a single command — each concatenates all in-scope .sol files (with ### path headers and fenced code blocks), then {resolved_path}/judging.md, then {resolved_path}/report-formatting.md, then {resolved_path}/attack-vectors/attack-vectors-N.md; print line counts. Every agent receives the full codebase — only the attack-vectors file differs per agent. Do NOT read or inline any file content into agent prompts — the bundle files replace that entirely.
Rounds 2+: After the attack-vectors section, append a ## Prior Findings Context section to each bundle file containing the accumulated findings from all previous rounds (formatted as they appear in the report). Also write the same prior findings to /tmp/audit-prior-findings.md for Agent 5.
In a single message, spawn all agents as parallel foreground Agent tool calls (do NOT use run_in_background). Always spawn Agents 1–4. Only spawn Agent 5 when the mode is DEEP.
model: "sonnet". Each agent prompt must contain the full text of vector-scan-agent.md (read in Turn 2, paste into every prompt). After the instructions, add: Your bundle file is /tmp/audit-agent-N-bundle.md (XXXX lines). (substitute the real line count). Rounds 2+: Also add: This is round K/R. Your bundle includes prior findings from previous rounds — use them as context to reason deeper, not as a list to skip.model: "opus". Receives the in-scope .sol file paths and the instruction: your reference directory is {resolved_path}. Read {resolved_path}/agents/adversarial-reasoning-agent.md for your full instructions. Rounds 2+: Also add: This is round K/R. Read /tmp/audit-prior-findings.md for findings from previous rounds — use them as context to reason deeper, not as a list to skip.Merge this round's agent results with the accumulated findings from previous rounds: deduplicate by root cause (if the same issue appears across rounds, keep the version with higher confidence or better detail), sort by confidence highest-first, re-number sequentially. Store the merged findings as the new accumulated findings for the next round.
After the final round: Insert the Below Confidence Threshold separator row. Print findings directly — do not re-draft or re-describe them. Use report-formatting.md (read in Turn 2) for the scope table and output structure. If --file-output is set, write the report to a file (path per report-formatting.md) and print the path.
Before doing anything else, print this exactly:
██████╗ █████╗ ███████╗██╗ ██╗ ██████╗ ██╗ ██╗ ███████╗██╗ ██╗██╗██╗ ██╗ ███████╗
██╔══██╗██╔══██╗██╔════╝██║ ██║██╔═══██╗██║ ██║ ██╔════╝██║ ██╔╝██║██║ ██║ ██╔════╝
██████╔╝███████║███████╗███████║██║ ██║██║ ██║ ███████╗█████╔╝ ██║██║ ██║ ███████╗
██╔═══╝ ██╔══██║╚════██║██╔══██║██║ ██║╚██╗ ██╔╝ ╚════██║██╔═██╗ ██║██║ ██║ ╚════██║
██║ ██║ ██║███████║██║ ██║╚██████╔╝ ╚████╔╝ ███████║██║ ██╗██║███████╗███████╗███████║
╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚══════╝